Android-Gif-Drawable Double-Free

Risk: High
Local: No
Remote: Yes
CWE: CWE-415

CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Hi list, CVE-2019-11932 is a vulnerability in the android-gif-drawable library. Yet the CVE text doesn't mention "android-gif-drawable". It only mentions WhatsApp. There could be over 28,400 free Android apps that use this library. And it seems that quite a few (24) of those 28k+ apps other than WhatsApp that use android-gif-drawable have install bases just as large as the WhatsApp install base (1 billion+, per Google Play). In example, Viber Version from Sep 2019 ( is vulnerable to CVE-2019-11932 (double free in libpl_droidsonroids_gif) . Latest 11.9.1 not anymore. Stacktrace from vuln version: Great work was made to compile list of apps using the framework: Patch it up folks Nice idea would be to create shodan or Wappalyzer search engine for Android Apps frameworks. Count me in, if you want to build something like this. Thanks, Marcin

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top