CVE-2019-11932
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-11932
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11932.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-11932
- Aliases
- Published
- 2019-10-03T22:15:10.370Z
- Modified
- 2025-11-20T10:55:38.482563Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android before version 2.19.244 and many other Android applications, allows remote attackers to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image.
- References
-
- http://packetstormsecurity.com/files/154867/Whatsapp-2.19.216-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158306/WhatsApp-android-gif-drawable-Double-Free.html
- http://seclists.org/fulldisclosure/2019/Nov/27
- https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/
- https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263
- https://github.com/koral--/android-gif-drawable/commit/cc5b4f8e43463995a84efd594f89a21f906c2d20
- https://github.com/koral--/android-gif-drawable/pull/673
- https://github.com/koral--/android-gif-drawable/pull/673/commits/4944c92761e0a14f04868cbcf4f4e86fd4b7a4a9
- https://www.facebook.com/security/advisories/cve-2019-11932
Affected packages
Git / github.com/koral--/android-gif-drawable
Affected ranges
- Type
- GIT
- Repo
- https://github.com/koral--/android-gif-drawable
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.12
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.14
v1.1.15
v1.1.16
v1.1.17
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.10
v1.2.11
v1.2.12
v1.2.16
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
Database specific
vanir_signatures
[
{
"target": {
"file": "android-gif-drawable/src/main/c/decoding.c"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2019-11932-20c00734",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"307494684151968822352496849915942941334",
"179646405047686153803200246891620737399",
"3565184496671623564557538637471165139",
"319716975894053961623641977136312660817",
"247672870486026284567417504325281799838",
"231133232878314181211603384170963396143"
]
},
"source": "https://github.com/koral--/android-gif-drawable/commit/cc5b4f8e43463995a84efd594f89a21f906c2d20"
},
{
"target": {
"file": "android-gif-drawable/src/main/c/decoding.c",
"function": "DDGifSlurp"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2019-11932-e657e0c4",
"signature_type": "Function",
"digest": {
"length": 3101.0,
"function_hash": "256783787093088157937719302303409991667"
},
"source": "https://github.com/koral--/android-gif-drawable/commit/cc5b4f8e43463995a84efd594f89a21f906c2d20"
}
]