Memory corruption while invoking IOCTL calls from user space to set generic private command inside WLAN driver.
Memory corruption when IOMMU unmap operation fails, the DMA and anon buffers are getting released.
Memory corruption while handling file descriptor during listener registration/de-registration.
Memory corruption while creating a LPAC client as LPAC engine was allowed to access GPU registers.
Memory corruption when a compat IOCTL call is followed by another IOCTL call from userspace to a driver.
Memory corruption while processing IPA statistics, when there are no active clients registered.
Memory corruption when IOMMU unmap of a GPU buffer fails in Linux.
Memory corruption when size of buffer from previous call is used without validation or re-initialization.
Memory corruption in Kernel while handling GPU operations.
Memory corruption when the payload received from firmware is not as per the expected protocol size.
Memory corruption during voice activation, when sound model parameters are loaded from HLOS to ADSP.
Memory corruption occurs during the copying of read data from the EEPROM because the IO configuration is exposed as shared memory.
Memory corruption while performing finish HMAC operation when context is freed by keymaster.
Memory corruption while processing API calls to NPU with invalid input.
Memory corruption when invalid input is passed to invoke GPU Headroom API call.
Memory corruption when preparing a shared memory notification for a memparcel in Resource Manager.
Memory corruption when there is failed unmap operation in GPU.
Memory corruption while processing key blob passed by the user.
In function msm_pcm_playback_close() in all Android releases from CAF using the Linux kernel, prtd is assigned substream->runtime->private_data. Later, prtd is freed. However, prtd is not sanitized and set to NULL, resulting in a dangling pointer. There are other functions that access the same memory (substream->runtime->private_data) with a NULL check, such as msm_pcm_volume_ctl_put(), which means this freed memory could be used.
In all Android releases from CAF using the Linux kernel, while processing a voice SVC request which is nonstandard by specifying a payload size that will overflow its own declared size, an out of bounds memory copy occurs.
Memory corruption while parsing the memory map info in IOCTL calls.
Memory corruption while handling IOCTL calls in JPEG Encoder driver.
Memory corruption while registering a buffer from user-space to kernel-space using IOCTL calls.
Memory corruption while processing frame packets.
Memory corruption while invoking IOCTL calls from user-space to kernel-space to handle session errors.
Memory corruption while processing GPU page table switch.
Memory corruption while processing concurrent IOCTL calls.
Memory corruption while processing IOCTL call for getting group info.
Memory corruption while IOCLT is called when device is in invalid state and the WMI command buffer may be freed twice.
Memory corruption while processing user packets to generate page faults.
Memory corruption while handling session errors from firmware.
Memory corruption while processing voice packet with arbitrary data received from ADSP.
Memory corruption during GNSS HAL process initialization.
Memory corruption while station LL statistic handling.
Buffer overflow in LibFastCV library due to improper size checks with respect to buffer length' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in APQ8052, APQ8056, APQ8076, APQ8096, APQ8096SG, APQ8098, MDM9655, MSM8952, MSM8956, MSM8976, MSM8976SG, MSM8996, MSM8996SG, MSM8998, QCM4290, QCM6125, QCS410, QCS4290, QCS610, QCS6125, QSM8250, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SDA640, SDA660, SDA845, SDA855, SDM640, SDM660, SDM830, SDM845, SDM850, SDX50M, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR2130, SXR2130P
Memory corruption due to improper bounds check while command handling in camera-kernel driver.
u'Possible buffer overflow in WIFI hal process due to usage of memcpy without checking length of destination buffer' in Snapdragon Auto, Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile in QCM4290, QCS4290, QM215, QSM8350, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SC8180X, SC8180XP, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6250, SM6350, SM7125, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P
Out of bound access in computer vision control due to improper validation of command length before processing it in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile
Memory corruption while encoding the image data.
An improper free of uninitialized memory can occur in DIAG services in Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile
Information disclosure due to uninitialized variable.
Information disclosure possible while audio playback.
Lack of check of buffer length before copying can lead to buffer overflow in camera module in Small Cell SoC, Snapdragon Mobile, Snapdragon Wear in FSM9055, FSM9955, IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA9531, QCA9558, QCA9563, QCA9880, QCA9886, QCA9980, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 835, SDM630, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016.
A race condition exists in a driver potentially leading to a use-after-free condition.
Buffer overwrite in the WLAN host driver by leveraging a compromised WLAN FW
When sending a socket event message to a user application, invalid information will be passed if socket is freed by other thread resulting in a Use After Free condition in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Memory corruption in TZ Secure OS while requesting a memory allocation from TA region.
Memory corruption while processing buffer initialization, when trusted report for certain report types are generated.
Memory corruption in Core while processing RX intent request.
Memory corruption while running VK synchronization with KASAN enabled.