In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the function mdss_rotator_ioctl in the driver /dev/mdss_rotator, a Use-After-Free condition can potentially occur due to a fence being installed too early.

In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in a KGSL driver function, a race condition exists which can lead to a Use After Free condition.

In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, if cmd_pkt and reg_pkt are called from different userspace threads, a use after free condition can potentially occur in wdsp_glink_write().

In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, the VIDIOC_G_SDE_ROTATOR_FENCE ioctl command can be used to cause a Use After Free condition.

In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, LUT configuration is passed down to driver from userspace via ioctl. Simultaneous update from userspace while kernel drivers are updating LUT registers can lead to race condition.

Memory corruption when IOMMU unmap operation fails, the DMA and anon buffers are getting released.

Memory corruption when memory mapped in a VBO is not unmapped by the GPU SMMU.

Memory corruption when a process invokes IOCTL calls from user-space to create a HAB virtual channel and another process invokes IOCTL calls to destroy the same.

Memory corruption when the IOCTL call is interrupted by a signal.

Memory corruption while sending the persist buffer command packet from the user-space to the kernel space through the IOCTL call.

Memory corruption while releasing shared resources in MinkSocket listener thread.

Memory corruption when kernel driver attempts to trigger hardware fences.

Memory corruption in Kernel while handling GPU operations.

Memory corruption when there is failed unmap operation in GPU.

Memory corruption when IOMMU unmap of a GPU buffer fails in Linux.

Memory corruption due to use after free in trusted application environment.

Memory corruption due to use after free in Core when multiple DCI clients register and deregister.

Memory corruption due to use after free in Modem while modem initialization.

In all Qualcomm products with Android releases from CAF using the Linux kernel, a use-after-free vulnerability exists in IMS RCS.

u'Use after free issue in Bluetooth transport driver when a method in the object is accessed after the object has been deleted due to improper timer handling.' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8009W, MSM8909W, QCS605, QM215, SA6155, SA6155P, SA8155, SA8155P, SDA640, SDA670, SDA855, SDM1000, SDM640, SDM670, SDM710, SDM845, SDX50M, SDX55, SDX55M, SM6125, SM6350, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR1120, SXR1130, SXR2130, SXR2130P

Improper handling of multiple session supported by PVM backend can lead to use after free in Snapdragon Auto, Snapdragon Mobile

Improper handling between export and release functions on the same handle from client can lead to use after free in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

Memory corruption in graphics support layer due to use after free condition in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables

Possible use after free scenario in compute offloads to DSP while multiple calls spawn a dynamic process in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

In WCDMA in all Android releases from CAF using the Linux kernel, a Use After Free vulnerability could potentially exist.