CVE-2019-11932

Name of the Vulnerable Software and Affected Versions android-gif-drawable library versions prior to 1.2.18 WhatsApp for Android versions prior to 2.19.244

Description A double free vulnerability in the DDGifSlurp function allows remote attackers to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image. This issue was reportedly used in a real-world attack, where a video was delivered through an encrypted downloader hosted on WhatsApp's media server, potentially allowing attackers to gain access to a device. The video itself was not malicious, but the exploit was embedded in the file, making it slightly larger than the video. The estimated number of potentially affected devices is not specified, but many Android applications that use the android-gif-drawable library are vulnerable.

Recommendations For android-gif-drawable library versions prior to 1.2.18, update to version 1.2.18 or later to resolve the issue. For WhatsApp for Android versions prior to 2.19.244, update to version 2.19.244 or later to resolve the issue. As a temporary workaround, consider disabling the use of GIF images in affected applications until a patch is available. Restrict access to the DDGifSlurp function to minimize the risk of exploitation.