**Name of the Vulnerable Software and Affected Versions:**

WhatsApp versions prior to 2.19.134 (Android)

WhatsApp Business versions prior to 2.19.44 (Android)

WhatsApp versions prior to 2.19.51 (iOS)

WhatsApp Business versions prior to 2.19.51 (iOS)

WhatsApp versions prior to 2.18.348 (Windows Phone)

WhatsApp versions prior to 2.18.15 (Tizen)

**Description:**

A heap-based buffer overflow vulnerability exists in the WhatsApp VOIP stack. This flaw allows for remote code execution (RCE) by processing specially crafted Real-time Transport Control Protocol (RTCP) packets sent during a WhatsApp voice call. Exploitation does not require user interaction, enabling a zero-click attack. The vulnerability resides in the failure to properly sanitize control fields within RTCP packets, specifically related to extended report block lengths and payload types. Attackers can leverage this to corrupt heap metadata, hijack the return address, and ultimately execute arbitrary code on the target device. The Pegasus spyware was reportedly deployed using this vulnerability.

**Recommendations:**

Update WhatsApp to version 2.19.134 or later on Android devices.

Update WhatsApp Business to version 2.19.44 or later on Android devices.

Update WhatsApp to version 2.19.51 or later on iOS devices.

Update WhatsApp Business to version 2.19.51 or later on iOS devices.

Update WhatsApp to version 2.18.348 or later on Windows Phone devices.

Update WhatsApp to version 2.18.15 or later on Tizen devices.