Memory corruption in Audio while processing IIR config data from AFE calibration block.
Memory corruption in HLOS while converting from authorization token to HIDL vector.
Memory corruption in Audio while processing the calibration data returned from ACDB loader.
Memory corruption while sending SMS from AP firmware.
Memory corruption in WLAN while running doDriverCmd for an unspecific command.
Memory corruption in core due to buffer copy without check9ing the size of input while processing ioctl queries.
Memory corruption due to buffer copy without checking the size of input in Core while processing ioctl commands from diag client applications.
Memory corruption in FM Host due to buffer copy without checking the size of input in FM Host
Memory corruption while invoking IOCTL calls for MSM module from the user space during audio playback and record.
Memory corruption during the network scan request.
Possible out of bound write due to lack of boundary check for the maximum size of buffer when sending a DCI packet to remote process in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
Possible out of bound access due to improper validation of item size and DIAG memory pools data while switching between USB and PCIE interface in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
Memory corruption while parsing IPC frequency table parameters for LPLH that has size greater than expected size.
Memory corruption while copying the sound model data from user to kernel buffer during sound model register.
Memory corruption while querying module parameters from Listen Sound model client in kernel from user space.
Memory corruption when the bandpass filter order received from AHAL is not within the expected range.
Memory corruption in camera due to buffer copy without checking size of input in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Mobile, Snapdragon Wearables
Memory corruption while processing shared command buffer packet between camera userspace and kernel.
Possible buffer overflow due to lack of offset length check while updating the buffer value in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Buffer Overflow while processing IOCTL for getting peripheral endpoint information there is no proper validation for input maximum endpoint pair and its size in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
Possible buffer overflow due to improper validation of buffer length while processing fast boot commands in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music
Memory corruption can occur during context user dumps due to inadequate checks on buffer length.
A process can potentially cause a buffer overflow in the display service allowing privilege escalation by executing code as that service in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Memory Corruption in WLAN Host while deserializing the input PMK bytes without checking the input PMK length.
Memory corruption while processing audio effects.
Memory corruption in WLAN Host while setting the PMK length in PMK length in internal cache.
Memory Corruption in VR Service while sending data using Fast Message Queue (FMQ).
Memory corruption in Audio while processing sva_model_serializer using memory size passed by HIDL client.
Memory corruption in Linux when the file upload API is called with parameters having large buffer.
Memory Corruption in Data Network Stack & Connectivity when sim gets detected on telephony.
Possible buffer overflow due to lack of length check of source and destination buffer before copying in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music
Certain unprivileged processes are able to perform IOCTL calls.
Memory corruption while receiving a message in Bus Socket Transport Server.
Memory corruption in Audio while calling START command on host voice PCM multiple times for the same RX or TX tap points.
The QCMAP_CLI utility in the Qualcomm QCMAP software suite prior to versions released in October 2020 uses a system() call without validating the input, while handling a SetGatewayUrl() request. A local attacker with shell access can pass shell metacharacters and run arbitrary commands. If QCMAP_CLI can be run via sudo or setuid, this also allows elevating privileges to root. This version of QCMAP is used in many kinds of networking devices, primarily mobile hotspots and LTE routers.
Memory Corruption in camera while installing a fd for a particular DMA buffer.
Memory Corruption in Radio Interface Layer while sending an SMS or writing an SMS to SIM.
Memory corruption in Trusted Execution Environment while calling service API with invalid address.
Memory corruption in Linux while calling system configuration APIs.
Memory Corruption in GPS HLOS Driver when injectFdclData receives data with invalid data length.
Memory corruption when the user application modifies the same shared memory asynchronously when kernel is accessing it.
Memory corruption while handling the PDR in driver for getting the remote heap maps.
Memory corruption while processing IOCTL calls to unmap the buffers.
Memory corruption when input parameter validation for number of fences is missing for fence frame IOCTL calls,
Memory corruption while processing frame command IOCTL calls.
Memory corruption when PAL client calls PAL service APIs by passing a random value as handle and the handle is not validated by the service.
Memory corruption while invoking redundant release command to release one buffer from user space as race condition can occur in kernel space between buffer release and buffer access.
Memory corruption due to buffer over-read in Modem while processing SetNativeHandle RTP service.
Memory corruption when multiple threads try to unregister the CVP buffer at the same time.
Memory corruption while parsing sensor packets in camera driver, user-space variable is used while allocating memory in kernel and parsing which can lead to huge allocation or invalid memory access.