QSEE will randomly experience a fatal error during execution due to speculative instruction fetches from device memory. Device memory is not valid executable memory.
Memory corruption can occur when arbitrary user-space app gains kernel level privilege to modify DDR memory by corrupting the GPU page table.
Memory corruption as GPU registers beyond the last protected range can be accessed through LPAC submissions.
Memory corruption while creating a LPAC client as LPAC engine was allowed to access GPU registers.
Memory corruption due to improper access control in kernel while processing a mapping request from root process.
Memory corruption while processing image encoding, when input buffer length is 0 in IOCTL call.
Memory corruption while processing image encoding, when configuration is NULL in IOCTL parameter.
Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode.
Memory corruption may occur while attaching VM when the HLOS retains access to VM.
Memory corruption in Automotive Android OS due to improper validation of array index.
Memory corruption in Automotive Multimedia due to improper access control in HAB.
Memory corruption due to improper access control in Qualcomm IPC.
Memory corruption in Automotive OS whenever untrusted apps try to access HAb for graphics functionalities.
Memory corruption while handling client exceptions, allowing unauthorized channel access.
Memory corruption in HAB Memory management due to broad system privileges via physical address.
Improper Access to the VM resource manager can lead to Memory Corruption.
Memory corruption during memory mapping into protected VM address space due to incorrect API restrictions.
Memory corruption may occur due top improper access control in HAB process.
Memory corruption while Configuring the SMR/S2CR register in Bypass mode.
Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.
Memory corruption when allocating and accessing an entry in an SMEM partition continuously.
Memory corruption when the captureRead QDCM command is invoked from user-space.
Memory corruption when BTFM client sends new messages over Slimbus to ADSP.
Memory corruption while calculating total metadata size when a very high reserved size is requested by gralloc clients.
Memory corruption while taking snapshot when an offset variable is set by camera driver.
Memory corruption when Alternative Frequency offset value is set to 255.
An unsigned integer underflow vulnerability in IPA driver result into a buffer over-read while reading NAT entry using debugfs command 'cat /sys/kernel/debug/ipa/ip4_nat'
Memory corruption when user provides data for FM HCI command control operations.
Memory corruption while passing untrusted/corrupted pointers from DSP to EVA.
Memory corruption may occur during the synchronization of the camera`s frame processing pipeline.
Memory corruption while processing IOCTL call to set metainfo.
Memory corruption during the handshake between the Primary Virtual Machine and Trusted Virtual Machine.
Memory corruption while creating a fence to wait on timeline events, and simultaneously signal timeline events.
Memory corruption as fence object may still be accessed in timeline destruct after isync fence is released.
Memory corruption while invoking IOCTL calls to unmap the DMA buffers.
Memory corruption can occur if VBOs hold outdated or invalid GPU SMMU mappings, especially when the binding and reclaiming of memory buffers are performed at the same time.
Memory corruption while processing frame command IOCTL calls.
Memory corruption while allocating memory in HGSL driver.
Memory Corruption in SPS Application while exporting public key in sorter TA.
Initial xbl_sec revision does not have all the debug policy features and critical checks.
Memory corruption in BT controller while parsing debug commands with specific sub-opcodes at HCI interface level.
Memory corruption in WLAN Host while setting the PMK length in PMK length in internal cache.
Memory corruption while processing camera use case IOCTL call.
Memory corruption caused by missing locks and checks on the DMA fence and improper synchronization.
Memory corruption in core services when Diag handler receives a command to configure event listeners.
Memory corruption in WLAN HAL while processing Tx/Rx commands from QDART.
Memory corruption while processing graphics kernel driver request to create DMA fence.
Memory corruption when memory mapped in a VBO is not unmapped by the GPU SMMU.
Memory corruption when the IOCTL call is interrupted by a signal.
Memory corruption when kernel driver attempts to trigger hardware fences.