Information disclosure may occur during a video call if a device resets due to a non-conforming RTCP packet that doesn`t adhere to RFC standards.
Information disclosure during audio playback.
Transient DOS while processing the CU information from RNR IE.
Transient DOS while parsing probe response and assoc response frame.
Information disclosure while processing IO control commands.
Memory corruption while IOCLT is called when device is in invalid state and the WMI command buffer may be freed twice.
Forcing the Bluetooth LE stack to segment 'prepare write response' packets can lead to an out-of-bounds memory access.
Memory corruption in core services when Diag handler receives a command to configure event listeners.
Memory corruption in MPP performance while accessing DSM watermark using external memory address.
Memory corruption in WLAN HAL while handling command streams through WMI interfaces.
Memory corruption in UTILS when modem processes memory specific Diag commands having arbitrary address values as input arguments.
Memory corruption in WLAN handler while processing PhyID in Tx status handler.
Memory corruption in WLAN Host while setting the PMK length in PMK length in internal cache.
Memory corruption while handling payloads from remote ESL.
Transient DOS in WLAN Firmware while processing frames with missing header fields.
Memory corruption in WLAN HAL while handling command through WMI interfaces.
Memory Corruption in WLAN HOST while fetching TX status information.
Memory corruption in SPS Application while requesting for public key in sorter TA.
Memory corruption in WIN Product while invoking WinAcpi update driver in the UEFI region.
Information disclosure in WLAN HOST while processing the WLAN scan descriptor list during roaming scan.
Transient DOS in Audio while remapping channel buffer in media codec decoding.
Memory corruption in Core Services while executing the command for removing a single event listener.
Memory corruption in TZ Secure OS while loading an app ELF.
Memory corruption in multimedia due to improper check on received export descriptors in Snapdragon Auto
Possible out of bounds write due to improper input validation while processing DO_ACS vendor command in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Transient DOS while processing TID-to-link mapping IE elements.
Memory corruption while passing untrusted/corrupted pointers from DSP to EVA.
Memory corruption while processing frame packets.
Memory corruption when allocating and accessing an entry in an SMEM partition continuously.
Transient DOS while parsing SCAN RNR IE when bytes received from AP is such that the size of the last param of IE is less than neighbor report.
Transient DOS while parsing the MBSSID IE from the beacons, when the MBSSID IE length is zero.
Information disclosure while processing IOCTL call made for releasing a trusted VM process release or opening a channel without initializing the process.
Memory corruption when BTFM client sends new messages over Slimbus to ADSP.
Information disclosure while processing information on firmware image during core initialization.
Transient DOS while parsing probe response and assoc response frame when received frame length is less than max size of timestamp.
Transient DOS while parsing noninheritance IE of Extension element when length of IE is 2 of beacon frame.
Transient DOS when driver accesses the ML IE memory and offset value is incremented beyond ML IE length.
Transient DOS when registration accept OTA is received with incorrect ciphering key data IE in modem.
Memory corruption when the captureRead QDCM command is invoked from user-space.
Transient DOS while parsing BTM ML IE when per STA profile is not included.
Transient DOS while parsing the received TID-to-link mapping action frame.
Memory Corruption in Core due to secure memory access by user while loading modem image.
Transient DOS while handling PS event when Program Service name length offset value is set to 255.
Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper.
Memory Corruption in WLAN HOST while parsing QMI response message from firmware.
Memory corruption in Modem while processing security related configuration before AS Security Exchange.
Memory corruption while configuring a Hypervisor based input virtual device.
Memory corruption due to out of bound read while parsing a video file in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile
Memory Corruption in HLOS while registering for key provisioning notify.
Transient DOS while parsing the received TID-to-link mapping element of beacon/probe response frame.