Memory corruption in Audio while calling START command on host voice PCM multiple times for the same RX or TX tap points.
Memory corruption while receiving a message in Bus Socket Transport Server.
Memory corruption in WLAN Host while setting the PMK length in PMK length in internal cache.
Memory corruption while processing audio effects.
Memory Corruption in camera while installing a fd for a particular DMA buffer.
Memory corruption in RIL while trying to send apdu packet.
Memory corruption in Audio while processing sva_model_serializer using memory size passed by HIDL client.
Memory Corruption in Linux while processing QcRilRequestImsRegisterMultiIdentityMessage request.
Memory corruption in WLAN while running doDriverCmd for an unspecific command.
Memory corruption in Linux when the file upload API is called with parameters having large buffer.
Memory Corruption while accessing metadata in Display.
Memory corruption in Audio during playback session with audio effects enabled.
Memory Corruption in Data Network Stack & Connectivity when sim gets detected on telephony.
Memory corruption in Linux while calling system configuration APIs.
An out-of-bounds write can occur due to an incorrect input check in the camera driver in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Possible memory corruption due to improper validation of memory address while processing user-space IOCTL for clearing Filter and Route statistics in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Memory corruption when input parameter validation for number of fences is missing for fence frame IOCTL calls,
Memory corruption is possible when an attempt is made from userspace or console to write some haptics effects pattern to the haptics debugfs file.
Memory corruption in Linux while sending DRM request.
Memory Corruption in VR Service while sending data using Fast Message Queue (FMQ).
Memory Corruption in Radio Interface Layer while sending an SMS or writing an SMS to SIM.
Memory Corruption in GPS HLOS Driver when injectFdclData receives data with invalid data length.
Memory corruption when the bandpass filter order received from AHAL is not within the expected range.
Memory corruption when multiple listeners are being registered with the same file descriptor.
Memory corruption while querying module parameters from Listen Sound model client in kernel from user space.
Memory corruption in Audio during a playback or a recording due to race condition between allocation and deallocation of graph object.
Memory corruption due to use after free in service while trying to access maps by different threads in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
Memory corruption in display due to double free while allocating frame buffer memory
Memory corruption in camera due to improper validation of array index in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
Memory corruption in video driver due to type confusion error during video playback
Memory corruption in diag due to use after free while processing dci packet in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
Memory corruption in camera due to buffer copy without checking size of input in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Mobile, Snapdragon Wearables
Memory corruption in Multimedia Framework due to unsafe access to the data members
Out of bound memory access in camera driver due to improper validation on data coming from UMD which is used for offset manipulation of pointer in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Use after free issue in HIDL while using callback to post event in Rx thread when internal mutex is not acquired and meantime close is triggered and callback instance is deleted in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
Two threads call one or both functions concurrently leading to corruption of pointers and reference counters which in turn can lead to heap corruption in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile
Resource leakage issue during dci client registration due to reference count is not decremented if dci client registration fails in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Use after free issue in audio modules while removing and freeing objects during list iteration due to incorrect usage of macro in Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile
Memory corruption in Audio while processing IIR config data from AFE calibration block.
Memory corruption in HLOS while converting from authorization token to HIDL vector.
Memory corruption while sending SMS from AP firmware.
Memory corruption in Audio while processing the calibration data returned from ACDB loader.
A process can potentially cause a buffer overflow in the display service allowing privilege escalation by executing code as that service in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
The cam_get_device_priv function does not check the type of handle being returned (device/session/link). This would lead to invalid type usage if a wrong handle is passed to it.
Memory Corruption in WLAN Host while deserializing the input PMK bytes without checking the input PMK length.
In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use, another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address.
Memory corruption when IPv6 prefix timer object`s lifetime expires which are created while Netmgr daemon gets an IPv6 address.
Memory Corruption in Audio while invoking IOCTLs calls from the user-space.
Memory corruption in Trusted Execution Environment while calling service API with invalid address.
Memory corruption in RIL due to Integer Overflow while triggering qcril_uim_request_apdu request.