CVE-2018-20655 in WhatsApp
Summary
by MITRE
When receiving calls using WhatsApp for iOS, a missing size check when parsing a sender-provided packet allowed for a stack-based overflow. This issue affects WhatsApp for iOS prior to v2.18.90.24 and WhatsApp Business for iOS prior to v2.18.90.24.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/03/2025
This vulnerability represents a critical stack-based buffer overflow condition that occurred during the processing of incoming calls within WhatsApp for iOS applications. The flaw emerged from insufficient input validation during packet parsing operations, specifically when handling data transmitted by remote senders. The vulnerability affected both standard WhatsApp for iOS and WhatsApp Business for iOS clients, with versions prior to 2.18.90.24 being susceptible to exploitation. This type of vulnerability falls under the Common Weakness Enumeration category CWE-121, which describes stack-based buffer overflow conditions where insufficient bounds checking allows attackers to overwrite adjacent memory locations on the program stack.
The technical implementation of this vulnerability exploited the absence of proper size validation when processing incoming call packets from remote users. When a malicious actor initiated a call to a vulnerable device, the application would attempt to parse the incoming data without verifying that the packet size remained within expected parameters. This missing validation allowed an attacker to craft specially malformed packets that would exceed the allocated stack buffer space, leading to arbitrary code execution possibilities. The attack vector specifically targeted the call processing subsystem where WhatsApp for iOS handles incoming communication requests from other users, making it particularly dangerous given the widespread use of the application.
The operational impact of this vulnerability extended beyond simple application instability, as it provided potential attackers with opportunities for remote code execution on targeted devices. An attacker could leverage this vulnerability to execute arbitrary code with the privileges of the WhatsApp process, potentially leading to complete device compromise. The exploitation required minimal user interaction since the vulnerability was triggered during the automatic call processing routine, making it particularly concerning from a security perspective. This weakness could enable attackers to access sensitive user data, intercept communications, or install additional malicious software on affected devices, representing a significant threat to user privacy and device security.
Mitigation strategies for this vulnerability centered on immediate software updates to versions 2.18.90.24 and later, which implemented proper input validation and size checking mechanisms for incoming packet data. Security practitioners should also implement network monitoring to detect anomalous call traffic patterns that might indicate exploitation attempts. The vulnerability aligns with ATT&CK technique T1059.007, which covers command and scripting interpreter usage, as exploitation could potentially involve executing malicious code through compromised WhatsApp processes. Organizations should also consider implementing network segmentation and access controls to limit the potential impact of such vulnerabilities, while maintaining regular security updates to address similar issues in mobile applications.