Possible out of bound access of DCI resources due to lack of validation process and resource allocation in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
Possible race condition can occur due to lack of synchronization mechanism when On-Device Logging node open twice concurrently in Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music
Improper access control sequence for AC database after memory allocation can lead to possible memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
Use after free condition can occur in wired connectivity due to a race condition while creating and deleting folders in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
Memory corruption in Linux android due to double free while calling unregister provider after register call.
Memory corruption can occur during context user dumps due to inadequate checks on buffer length.
Possible out of bound access due to improper validation of item size and DIAG memory pools data while switching between USB and PCIE interface in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
Memory corruption due to improper bounds check while command handling in camera-kernel driver.
Possible use-after-free due to lack of validation for the rule count in filter table in IPA driver in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Possible buffer overflow due to lack of length check of source and destination buffer before copying in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music
Memory corruption while invoking redundant release command to release one buffer from user space as race condition can occur in kernel space between buffer release and buffer access.
Memory corruption while processing IOCTL calls to unmap the buffers.
Memory corruption when the user application modifies the same shared memory asynchronously when kernel is accessing it.
Memory corruption due to improper validation of array index in computer vision while testing EVA kernel without sending any frames.
Memory corruption in Audio due to incorrect type cast during audio use-cases.
Memory corruption while IOCLT is called when device is in invalid state and the WMI command buffer may be freed twice.
Forcing the Bluetooth LE stack to segment 'prepare write response' packets can lead to an out-of-bounds memory access.
Memory corruption in core services when Diag handler receives a command to configure event listeners.
Memory corruption in MPP performance while accessing DSM watermark using external memory address.
Memory corruption in WLAN HAL while handling command streams through WMI interfaces.
Memory corruption in UTILS when modem processes memory specific Diag commands having arbitrary address values as input arguments.
Memory corruption in WLAN handler while processing PhyID in Tx status handler.
Memory corruption while handling payloads from remote ESL.
Memory corruption in WLAN HAL while handling command through WMI interfaces.
Memory corruption in SPS Application while requesting for public key in sorter TA.
Memory corruption in WIN Product while invoking WinAcpi update driver in the UEFI region.
Memory corruption in Core Services while executing the command for removing a single event listener.
Memory corruption in TZ Secure OS while loading an app ELF.
Memory corruption in multimedia due to improper check on received export descriptors in Snapdragon Auto
Possible out of bounds write due to improper input validation while processing DO_ACS vendor command in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Memory corruption while passing untrusted/corrupted pointers from DSP to EVA.
Memory corruption while processing frame packets.
Memory corruption when BTFM client sends new messages over Slimbus to ADSP.
Memory Corruption in Core due to secure memory access by user while loading modem image.
Memory Corruption in WLAN HOST while parsing QMI response message from firmware.
Memory corruption in Modem while processing security related configuration before AS Security Exchange.
Memory corruption while configuring a Hypervisor based input virtual device.
Memory Corruption in HLOS while registering for key provisioning notify.
Memory Corruption in Data Modem while making a MO call or MT VOLTE call.
Memory Corruption in Multi-mode Call Processor while processing bit mask API.
Memory Corruption in WLAN HOST while processing WLAN FW request to allocate memory.
Memory Corruption in Audio while playing amrwbplus clips with modified content.
Memory corruption due to untrusted pointer dereference in automotive during system call.
Memory corruption when user provides data for FM HCI command control operations.
Memory corruption in Automotive GPU while querying a gsl memory node.
Memory Corruption in Core Platform while printing the response buffer in log.
Memory corruption in WLAN HAL while processing WMI-UTF command or FTM TLV1 command.
Memory corruption when Alternative Frequency offset value is set to 255.
Memory corruption during the handshake between the Primary Virtual Machine and Trusted Virtual Machine.
In msm_ispif_config_stereo() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-06-21, the parameter params->entries[i].vfe_intf comes from userspace without any bounds check which could potentially result in a kernel out-of-bounds write.