WhatsApp has published details of a “critical”-rated security vulnerability affecting its Android app that could allow attackers to remotely plant malware on a victim’s smartphone during a video call.
Details of the flaw, tracked as CVE-2022-36934 with an assigned severity rating of 9.8 out of 10, is described by WhatsApp as an integer overflow bug. This happens when an app tries to perform a computational process but has no space in its allotted memory, causing the data to spill out and overwrite other parts of the system’s memory with potentially malicious code.
WhatsApp didn’t share any further details about the bug. But security research firm Malwarebytes said in its own technical analysis that the bug is found in a WhatsApp app component called “Video Call Handler,” which if triggered would allow an attacker to take complete control of a victim’s app.
WhatsApp spokesperson Joshua Breckman told TechCrunch that the bugs were discovered in-house and that the company has seen “no evidence of exploitation.”
The critical-rated memory vulnerability is similar to a 2019 bug, which WhatsApp ultimately blamed on Israeli spyware maker NSO Group in 2019 to target 1,400 victims’ phones, including journalists, human rights defenders and other civilians. The attack leveraged a bug in WhatsApp’s audio calling feature that allowed the caller to plant spyware on a victim’s device, regardless of whether the call was answered.
WhatsApp also disclosed this week details of another vulnerability, CVE-2022-27492, rated “high” in severity at 7.8 out of 10, which could allow hackers to run malicious code on a victim’s iOS device after sending a malicious video file.
“The manipulation with an unknown input leads to a memory corruption vulnerability,” said Pieter Arntz, an intelligence researcher at Malwarebytes. “To exploit this vulnerability, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it.”
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Both flaws are patched in the latest versions of WhatsApp. Update today.
Facebook users sue Meta, accusing the company of tracking on iOS through a loophole
