The cam_get_device_priv function does not check the type of handle being returned (device/session/link). This would lead to invalid type usage if a wrong handle is passed to it.
Memory corruption in WLAN Host while setting the PMK length in PMK length in internal cache.
Memory corruption in WLAN HAL while processing command parameters from untrusted WMI payload.
Memory corruption in WLAN HAL while processing devIndex from untrusted WMI payload.
Memory corruption in TZ Secure OS while loading an app ELF.
Memory corruption in WIN Product while invoking WinAcpi update driver in the UEFI region.
Memory corruption while allocating memory in COmxApeDec module in Audio.
Memory corruption in WLAN HAL while handling command streams through WMI interfaces.
Memory corruption in WLAN FW while processing command parameters from untrusted WMI payload.
Memory corruption in WLAN handler while processing PhyID in Tx status handler.
Thread start can cause invalid memory writes to arbitrary memory location since the argument is passed by user to kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in MDM9205, MDM9640, MSM8996AU, QCA6574, QCS605, Qualcomm 215, SD 425, SD 427, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016, SXR1130
Memory Corruption in Data Modem while processing DMA buffer release event about CFR data.
Memory corruption in WLAN HAL while passing command parameters through WMI interfaces.
Memory corruption in MPP performance while accessing DSM watermark using external memory address.
Memory corruption in SPS Application while requesting for public key in sorter TA.
Memory corruption in UTILS when modem processes memory specific Diag commands having arbitrary address values as input arguments.
Cryptographic issue in HLOS during key management.
Memory corruption while processing audio effects.
Memory corruption in Core Services while executing the command for removing a single event listener.
Memory corruption in BT controller while parsing debug commands with specific sub-opcodes at HCI interface level.
Memory corruption when IPv6 prefix timer object`s lifetime expires which are created while Netmgr daemon gets an IPv6 address.
Improper Access Control for RPU write access from secure processor in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in APQ8017, APQ8053, APQ8098, IPQ8074, MDM9150, MDM9650, MDM9655, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, Nicobar, QCA8081, QCN7605, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX55, SM6150, SM7150, SM8150, SXR1130
Memory corruption may occur while validating ports and channels in Audio driver.
Memory corruption may occur during communication between primary and guest VM.
Memory corruption while reading a type value from a buffer controlled by the Guest Virtual Machine.
Memory corruption may occur in keyboard virtual device due to guest VM interaction.
Memory corruption may occur due to improper input validation in clock device.
Memory corruption while doing Escape call when user provides valid kernel address in the place of valid user buffer address.
Memory corruption while reading a value from a buffer controlled by the Guest Virtual Machine.
Memory corruption while operating the mailbox in Automotive.
Memory corruption may occur while processing message from frontend during allocation.
Memory corruption while processing input message passed from FE driver.
Memory corruption in display driver while detaching a device.
Memory corruption may occur while attaching VM when the HLOS retains access to VM.
Memory corruption while power-up or power-down sequence of the camera sensor.
Memory corruption while triggering commands in the PlayReady Trusted application.
Memory corruption while reading CPU state data during guest VM suspend.
Memory corruption during memory assignment to headless peripheral VM due to incorrect error code handling.
Memory corruption while Invoking IOCTL calls from user-space to validate FIPS encryption or decryption functionality.
Memory corruption in Camera due to unusually high number of nodes passed to AXI port.
Memory corruption while processing IOCTL from user space to handle GPU AHB bus error.
Memory corruption while reading secure file.
Memory corruption during array access in Camera kernel due to invalid index from invalid command data.
Memory corruption when blob structure is modified by user-space after kernel verification.
Memory corruption while handling schedule request in Camera Request Manager(CRM) due to invalid link count in the corresponding session.
Memory corruption while invoking IOCTL calls from userspace to camera kernel driver to dump request information.
Memory corruption while processing IOCTL call invoked from user-space to verify non extension FIPS encryption and decryption functionality.
Memory corruption can occur if an already verified IFS2 image is overwritten, bypassing boot verification. This allows unauthorized programs to be injected into security-sensitive images, enabling the booting of a tampered IFS2 system image.
Memory corruption may occour while generating test pattern due to negative indexing of display ID.
Memory corruption while taking a snapshot with hardware encoder due to unvalidated userspace buffer.