CVE-2019-11932 — android-gif-drawable Double Free vulnerability

Description

A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android before version 2.19.244 and many other Android applications, allows remote attackers to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image.

How to fix CVE-2019-11932

To remediate CVE-2019-11932, upgrade the affected package to a fixed version below.

—upgrade to 1.2.18 or later

Is CVE-2019-11932 being exploited?

Likely — EPSS is 71.0%, placing CVE-2019-11932 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 1.2.18

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-11932
PATCHgithub.com/koral--/android-gif-drawable
WEBpacketstormsecurity.com/files/154867/Whatsapp-2.19.216-Remote-Code-Execution.html
WEBpacketstormsecurity.com/files/158306/WhatsApp-android-gif-drawable-Double-Free.html