Transient DOS while parsing the multi-link element Control field when common information length check is missing before updating the location.
Memory corruption when the captureRead QDCM command is invoked from user-space.
Information disclosure while parsing the BSS parameter change count or MLD capabilities fields of the ML IE.
Transient DOS while parsing the received TID-to-link mapping action frame.
Transient DOS while parsing ESP IE from beacon/probe response frame.
Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper.
Transient DOS while parsing probe response and assoc response frame when received frame length is less than max size of timestamp.
Transient DOS while parsing ESP IE from beacon/probe response frame.
Memory corruption when Alternative Frequency offset value is set to 255.
Transient DOS while parsing noninheritance IE of Extension element when length of IE is 2 of beacon frame.
Transient DOS while handling PS event when Program Service name length offset value is set to 255.
Information disclosure while processing IOCTL call made for releasing a trusted VM process release or opening a channel without initializing the process.
Transient DOS while parsing the received TID-to-link mapping element of beacon/probe response frame.
Information disclosure as NPU firmware can send invalid IPC message to NPU driver as the driver doesn`t validate the IPC message received from the firmware.
Transient DOS when driver accesses the ML IE memory and offset value is incremented beyond ML IE length.
Transient DOS when processing the non-transmitted BSSID profile sub-elements present within the MBSSID Information Element (IE) of a beacon frame that is received from over-the-air (OTA).
Transient DOS when registration accept OTA is received with incorrect ciphering key data IE in Modem.
Transient DOS while decoding attach reject message received by UE, when IEI is set to ESM_IEI.
Memory corruption is possible when an attempt is made from userspace or console to write some haptics effects pattern to the haptics debugfs file.
Memory corruption during session sign renewal request calls in HLOS.
Memory corruption when keymaster operation imports a shared key.
Information disclosure while handling T2LM Action Frame in WLAN Host.
Memory corruption when size of buffer from previous call is used without validation or re-initialization.
Memory corruption when preparing a shared memory notification for a memparcel in Resource Manager.
Memory corruption while processing key blob passed by the user.
Information Disclosure while parsing beacon frame in STA.
Memory corruption when an invoke call and a TEE call are bound for the same trusted application.
Information disclosure when the ADSP payload size received in HLOS in response to Audio Stream Manager matrix session is less than this expected size.
Information disclosure while handling beacon probe frame during scan entry generation in client side.
Memory corruption when the channel ID passed by user is not validated and further used.
Transient DOS while parsing a protected 802.11az Fine Time Measurement (FTM) frame.
INformation disclosure while handling Multi-link IE in beacon frame.
Incorrect handling of pointers in trusted application key import mechanism could cause memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables
Possible memory corruption due to lack of bound check of input index in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Possible buffer underflow due to lack of check for negative indices values when processing user provided input in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables
Possible buffer overflow due to improper validation of FTM command payload in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile
Improper length check of public exponent in RSA import key function could cause memory corruption. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables
Integer overflow to buffer overflow due to lack of validation of event arguments received from firmware. in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in IPQ4019, IPQ8064, IPQ8074, MDM9607, MSM8917, MSM8920, MSM8937, MSM8940, QCN7605, QCS405, QCS605, SDA845, SDM660, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130
Information disclosure in Video while parsing mp2 clip with invalid section length.
Memory corruption when IOCTL call is invoked from user-space to write board data to WLAN driver.
Memory corruption while sound model registration for voice activation with audio kernel driver.
Possible out of bounds write in a MT SMS/SS scenario due to improper validation of array index in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130
Memory corruption while parsing qcp clip with invalid chunk data size.
Memory corruption while processing TPC target power table in FTM TPC.
Memory corruption while processing IOCTL handler in FastRPC.
Memory corruption in video while parsing invalid mp2 clip.
Transient DOS while parse fils IE with length equal to 1.
Transient DOS in WLAN Firmware when the length of received beacon is less than length of ieee802.11 beacon frame.
Memory corruption when AP includes TID to link mapping IE in the beacons and STA is parsing the beacon TID to link mapping IE.
Transient DOS while processing an improperly formatted 802.11az Fine Time Measurement protocol frame.