QSEE will randomly experience a fatal error during execution due to speculative instruction fetches from device memory. Device memory is not valid executable memory.
Memory corruption while creating a LPAC client as LPAC engine was allowed to access GPU registers.
Memory corruption while handling client exceptions, allowing unauthorized channel access.
Memory corruption while processing image encoding, when configuration is NULL in IOCTL parameter.
Memory corruption while processing image encoding, when input buffer length is 0 in IOCTL call.
Memory corruption may occur due top improper access control in HAB process.
Memory corruption in Automotive Android OS due to improper validation of array index.
Memory corruption in Automotive OS whenever untrusted apps try to access HAb for graphics functionalities.
Memory corruption due to improper access control in Qualcomm IPC.
Memory corruption in HAB Memory management due to broad system privileges via physical address.
Improper Access to the VM resource manager can lead to Memory Corruption.
Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode.
Memory corruption in Automotive Multimedia due to improper access control in HAB.
Memory Corruption in Core while invoking a call to Access Control core library with hardware protected address range.
Memory corruption can occur when arbitrary user-space app gains kernel level privilege to modify DDR memory by corrupting the GPU page table.
Memory corruption due to improper access control in kernel while processing a mapping request from root process.
Memory corruption may occur while attaching VM when the HLOS retains access to VM.
Memory corruption during memory mapping into protected VM address space due to incorrect API restrictions.
An unsigned integer underflow vulnerability in IPA driver result into a buffer over-read while reading NAT entry using debugfs command 'cat /sys/kernel/debug/ipa/ip4_nat'
Initial xbl_sec revision does not have all the debug policy features and critical checks.
Memory corruption when kernel driver attempts to trigger hardware fences.
Memory corruption while handling user packets during VBO bind operation.
Memory corruption while invoking IOCTL call for GPU memory allocation and size param is greater than expected size.
Memory corruption when the IOCTL call is interrupted by a signal.
Memory corruption while releasing shared resources in MinkSocket listener thread.
Memory corruption when invalid length is provided from HLOS for FRS/UDS request/response buffers.
Memory corruption in Kernel while handling GPU operations.
Memory corruption while processing graphics kernel driver request to create DMA fence.
Memory corruption when allocating and accessing an entry in an SMEM partition.
Memory corruption when the mapped pages in VBO are still mapped after reclaiming by shrinker.
Memory corruption when keymaster operation imports a shared key.
Memory Corruption in SPS Application while exporting public key in sorter TA.
Memory corruption when there is failed unmap operation in GPU.
Memory corruption when preparing a shared memory notification for a memparcel in Resource Manager.
Memory corruption when a compat IOCTL call is followed by another IOCTL call from userspace to a driver.
Memory corruption while processing key blob passed by the user.
Memory corruption when IOMMU unmap of a GPU buffer fails in Linux.
Memory corruption in BT controller while parsing debug commands with specific sub-opcodes at HCI interface level.
Memory corruption while processing IPA statistics, when there are no active clients registered.
Memory corruption when size of buffer from previous call is used without validation or re-initialization.
Memory corruption when an invoke call and a TEE call are bound for the same trusted application.
Memory corruption when the payload received from firmware is not as per the expected protocol size.
Memory corruption when the channel ID passed by user is not validated and further used.
Memory corruption in WLAN HAL while processing devIndex from untrusted WMI payload.
Memory corruption while allocating memory for graphics.
Memory corruption while performing finish HMAC operation when context is freed by keymaster.
Memory corruption during the secure boot process, when the `bootm` command is used, it bypasses the authentication of the kernel/rootfs image.
Lack of null check while freeing the device information buffer in the Bluetooth HFP protocol can lead to a NULL pointer dereference in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables
Possible out of bounds access due to improper input validation during graphics profiling in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Memory corruption in DSP service due to improper validation of input parameters in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile