CVE-2018-6339 - Vulnerability Details - OpenCVE

When receiving calls using WhatsApp on Android, a stack allocation failed to properly account for the amount of data being passed in. An off-by-one error meant that data was written beyond the allocated space on the stack. This issue affects WhatsApp for Android starting in version 2.18.180 and was fixed in version 2.18.295. It also affects WhatsApp Business for Android starting in version v2.18.103 and was fixed in version v2.18.150.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00433.

Key SSVC decision points have not yet been added.

Vendors	Products
Whatsapp	Whatsapp Whatsapp Business

Configuration 1 [-]

OR	cpe:2.3:a:whatsapp:whatsapp::::::android::*
	cpe:2.3:a:whatsapp:whatsapp_business::::::android::*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.facebook.com/security/advisories/cve-2018-6339/

History

Wed, 03 Sep 2025 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Whatsapp whatsapp Business
CPEs	cpe:2.3:a:whatsapp:whatsapp:::::business:android::	cpe:2.3:a:whatsapp:whatsapp_business::::::android::*
Vendors & Products		Whatsapp whatsapp Business

MITRE

Status: PUBLISHED

Assigner: facebook

Published: 2019-06-14T17:02:57

Updated: 2024-08-05T06:01:48.697Z

Reserved: 2018-01-26T00:00:00

Link: CVE-2018-6339

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-06-14T17:29:02.003

Modified: 2025-09-03T17:36:53.303

Link: CVE-2018-6339

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "WhatsApp for Android", "vendor": "Facebook", "versions": [{"status": "affected", "version": "2.18.295"}, {"lessThan": "unspecified", "status": "affected", "version": "2.18.180", "versionType": "custom"}, {"lessThan": "2.18.180", "status": "unaffected", "version": "unspecified", "versionType": "custom"}]}, {"product": "WhatsApp Business for Android", "vendor": "Facebook", "versions": [{"status": "affected", "version": "2.18.150"}, {"lessThan": "unspecified", "status": "affected", "version": "2.18.103", "versionType": "custom"}, {"lessThan": "2.18.103", "status": "unaffected", "version": "unspecified", "versionType": "custom"}]}], "dateAssigned": "2018-12-30T00:00:00", "descriptions": [{"lang": "en", "value": "When receiving calls using WhatsApp on Android, a stack allocation failed to properly account for the amount of data being passed in. An off-by-one error meant that data was written beyond the allocated space on the stack. This issue affects WhatsApp for Android starting in version 2.18.180 and was fixed in version 2.18.295. It also affects WhatsApp Business for Android starting in version v2.18.103 and was fixed in version v2.18.150."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "Stack-based Buffer Overflow (CWE-121)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-06-14T17:02:57", "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.facebook.com/security/advisories/cve-2018-6339/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@fb.com", "DATE_ASSIGNED": "2018-12-30", "ID": "CVE-2018-6339", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WhatsApp for Android", "version": {"version_data": [{"version_affected": "!=>", "version_value": "2.18.295"}, {"version_affected": ">=", "version_value": "2.18.180"}, {"version_affected": "!<", "version_value": "2.18.180"}]}}, {"product_name": "WhatsApp Business for Android", "version": {"version_data": [{"version_affected": "!=>", "version_value": "2.18.150"}, {"version_affected": ">=", "version_value": "2.18.103"}, {"version_affected": "!<", "version_value": "2.18.103"}]}}]}, "vendor_name": "Facebook"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When receiving calls using WhatsApp on Android, a stack allocation failed to properly account for the amount of data being passed in. An off-by-one error meant that data was written beyond the allocated space on the stack. This issue affects WhatsApp for Android starting in version 2.18.180 and was fixed in version 2.18.295. It also affects WhatsApp Business for Android starting in version v2.18.103 and was fixed in version v2.18.150."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Stack-based Buffer Overflow (CWE-121)"}]}]}, "references": {"reference_data": [{"name": "https://www.facebook.com/security/advisories/cve-2018-6339/", "refsource": "MISC", "url": "https://www.facebook.com/security/advisories/cve-2018-6339/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T06:01:48.697Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.facebook.com/security/advisories/cve-2018-6339/"}]}]}, "cveMetadata": {"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "assignerShortName": "facebook", "cveId": "CVE-2018-6339", "datePublished": "2019-06-14T17:02:57", "dateReserved": "2018-01-26T00:00:00", "dateUpdated": "2024-08-05T06:01:48.697Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:*", "matchCriteriaId": "6AF2CF4A-DE98-48CC-A13A-E168EA4678E6", "versionEndExcluding": "2.18.295", "versionStartIncluding": "2.18.180", "vulnerable": true}, {"criteria": "cpe:2.3:a:whatsapp:whatsapp_business:*:*:*:*:*:android:*:*", "matchCriteriaId": "9FF4FF16-10F8-46BB-8A68-6044A193E5E3", "versionEndExcluding": "2.18.150", "versionStartIncluding": "2.18.103", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When receiving calls using WhatsApp on Android, a stack allocation failed to properly account for the amount of data being passed in. An off-by-one error meant that data was written beyond the allocated space on the stack. This issue affects WhatsApp for Android starting in version 2.18.180 and was fixed in version 2.18.295. It also affects WhatsApp Business for Android starting in version v2.18.103 and was fixed in version v2.18.150."}, {"lang": "es", "value": "Cuando se reciben llamadas con WhatsApp en Android, en la asignaci\u00f3n de pila no se considera adecuadamente la cantidad de datos que est\u00e1n pasando. Un error de uno en uno significaba que los datos se escrib\u00edan fuera del espacio asignado en la pila. Este problema afecta a WhatsApp para Android a partir de la versi\u00f3n 2.18.180 y se corrigi\u00f3 en la versi\u00f3n 2.18.295. Tambi\u00e9n afecta a WhatsApp Business para Android a partir de la versi\u00f3n v2.18.103 y se corrigi\u00f3 en la versi\u00f3n v2.18.150."}], "id": "CVE-2018-6339", "lastModified": "2025-09-03T17:36:53.303", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-14T17:29:02.003", "references": [{"source": "cve-assign@fb.com", "tags": ["Third Party Advisory"], "url": "https://www.facebook.com/security/advisories/cve-2018-6339/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.facebook.com/security/advisories/cve-2018-6339/"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "cve-assign@fb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}