CVE ID | Publié | Description | Score | Gravité |
---|---|---|---|---|
Transient DOS while parsing a vender specific IE (Information Element) of reassociation response management frame. | 7.5 |
Haute |
||
Memory corruption in DSP Services during a remote call from HLOS to DSP. | 7.8 |
Haute |
||
Cryptographic issue in GPS HLOS Driver while downloading Qualcomm GNSS assistance data. | 9.1 |
Critique |
||
Transient DOS in Data modem while handling TLB control messages from the Network. | 7.5 |
Haute |
||
Transient DOS in Modem when a Beam switch request is made with a non-configured BWP. | 7.5 |
Haute |
||
Transient DOS in Modem after RRC Setup message is received. | 7.5 |
Haute |
||
Memory corruption in HLOS while invoking IOCTL calls from user-space. | 8.4 |
Haute |
||
Memory corruption while using the UIM diag command to get the operators name. | 7.8 |
Haute |
||
Memory corruption in Audio while processing the VOC packet data from ADSP. | 7.8 |
Haute |
||
Memory corruption in Automotive Audio while copying data from ADSP shared buffer to the VOC packet data buffer. | 7.8 |
Haute |
||
Memory corruption while invoking callback function of AFE from ADSP. | 7.8 |
Haute |
||
Memory corruption in DSP Service during a remote call from HLOS to DSP. | 8.4 |
Haute |
||
Transient DOS in WLAN Firmware while parsing rsn ies. | 7.5 |
Haute |
||
Cryptographic issue in Data Modem due to improper authentication during TLS handshake. | 9.1 |
Critique |
||
Memory corruption in WLAN HAL while processing devIndex from untrusted WMI payload. | 7.8 |
Haute |
||
Memory corruption due to improper validation of array index in WLAN HAL when received lm_itemNum is out of range. | 8.4 |
Haute |
||
Transient DOS in Audio while remapping channel buffer in media codec decoding. | 7.5 |
Haute |
||
Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode. | 7.8 |
Haute |
||
Transient DOS in WLAN Firmware while processing frames with missing header fields. | 7.5 |
Haute |
||
Memoru corruption in Audio when ADSP sends input during record use case. | 7.8 |
Haute |
||
Memory corruption in WLAN HOST while receiving an WMI event from firmware. | 7.8 |
Haute |
||
Memory corruption in WLAN HAL while processing WMI-UTF command or FTM TLV1 command. | 8.4 |
Haute |
||
Transient DOS due to improper authentication in modem while receiving plain TLB OTA request message from network. | 7.5 |
Haute |
||
Memory corruption due to improper access control in kernel while processing a mapping request from root process. | 7.8 |
Haute |
||
Information disclosure in Kernel due to indirect branch misprediction. | 7.1 |
Haute |
||
Transient DOS due to improper authorization in Modem | 7.5 |
Haute |
||
Memory corruption due to double free in Core while mapping HLOS address to the list. | 8.4 |
Haute |
||
Memory corruption in modem due to stack based buffer overflow while parsing OTASP Key Generation Request Message. | 7.9 |
Haute |
||
Transient DOS due to reachable assertion in Modem because of invalid network configuration. | 7.5 |
Haute |
||
Memory corruption in FM Host due to buffer copy without checking the size of input in FM Host | 7.8 |
Haute |
||
information disclosure due to cryptographic issue in Core during RPMB read request. | 7.1 |
Haute |
||
Assertion occurs while processing Reconfiguration message due to improper validation | 7.5 |
Haute |
||
Transient DOS due to reachable assertion in Modem when UE received Downlink Data Indication message from the network. | 7.5 |
Haute |
||
Memory corruption in Graphics while importing a file. | 8.4 |
Haute |
||
Transient DOS due to reachable assertion in Modem while processing config related to cross carrier scheduling, which is not supported. | 7.5 |
Haute |
||
Transient DOS due to reachable assertion in Modem during OSI decode scheduling. | 7.5 |
Haute |
||
Transient DOS due to NULL pointer dereference in Modem while sending invalid messages in DCCH. | 7.5 |
Haute |
||
Memory corruption due to integer overflow or wraparound in WLAN while sending WMI cmd from host to target. | 8.4 |
Haute |
||
Information disclosure due to buffer over-read in Bluetooth Host while A2DP streaming. | 8.2 |
Haute |
||
Memory corruption due to improper validation of array index in User Identity Module when APN TLV length is greater than command length. | 7.8 |
Haute |
||
Memory corruption due to use after free in Modem while modem initialization. | 7.8 |
Haute |
||
Memory corruption due to integer overflow to buffer overflow in Modem while parsing Traffic Channel Neighbor List Update message. | 7.8 |
Haute |
||
Memory corruption occurs in Modem due to improper validation of array index when malformed APDU is sent from card. | 6.8 |
Moyen |
||
Transient DOS due to time-of-check time-of-use race condition in Modem while processing RRC Reconfiguration message. | 7.5 |
Haute |
||
Memory corruption due to double free in core while initializing the encryption key. | 9.3 |
Critique |
||
Memory corruption due to improper check to return error when user application requests memory allocation of a huge size in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.8 |
Haute |
||
A race between command submission and destroying the context can cause an invalid context being added to the list leads to use after free issue. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7 |
Haute |
||
An improper free of uninitialized memory can occur in DIAG services in Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile | 8.4 |
Haute |
||
Use after free due to race condition when reopening the device driver repeatedly in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 7 |
Haute |
||
Out of bound read will happen if EAPOL Key length is less than expected while processing NAN shared key descriptor attribute in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.5 |
Haute |
||
Use after free issue when importing a DMA buffer by using the CPU address of the buffer due to attachment is not cleaned up properly in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.8 |
Haute |
||
Possible Buffer over-read in ARP/NS parsing due to lack of check of packet length received in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.5 |
Haute |
||
Possible heap overflow while parsing NAL header due to lack of check of length of data received from user in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 9.8 |
Critique |
||
Memory corruption due to buffer overflow while copying the message provided by HLOS into buffer without validating the length of buffer in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | 7.8 |
Haute |
||
Trusted APPS to overwrite the CPZ memory of another use-case as TZ only checks the physical address not overlapping with its memory and its RoT memory in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.8 |
Haute |
||
Out of bound read access in hypervisor due to an invalid read access attempt by passing invalid addresses in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 6 |
Moyen |
||
Allowing RTT frames to be linked with non randomized MAC address by comparing the sequence numbers can lead to information disclosure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.5 |
Haute |
||
Arithmetic overflow can happen while processing NOA IE due to improper error handling in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.5 |
Haute |
||
A buffer overflow can occur when playing an MKV clip due to lack of input validation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 9.8 |
Critique |
||
Improper access control when using mmap with the kgsl driver with a special offset value that can be provided to map the memstore of the GPU to user space in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.8 |
Haute |
||
Denial of service while processing fine timing measurement request (FTMR) frame with reserved bits set in the FTM parameter IE due to improper error handling in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.5 |
Haute |
||
Allowing RTT frames to be linked with non randomized MAC address by comparing the sequence numbers can lead to information disclosure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.5 |
Haute |
||
Possible denial of service while handling host WMI command due to improper validation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.5 |
Haute |
||
Possible buffer over read while processing P2P IE and NOA attribute of beacon and probe response frames due to improper validation of P2P IE and NOA attribute lengths in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 9.1 |
Critique |
||
Possible race condition during async fastrpc session after sending RPC message due to the fastrpc ctx gets free during async session in Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile | 7.4 |
Haute |
||
Possible buffer over-read while parsing quiet IE in Rx beacon frame due to improper check of IE length in received beacon in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 9.1 |
Critique |
||
Possible denial of service due to RTT responder consistently rejects all FTMR by transmitting FTM1 with failure status in the FTM parameter IE in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.5 |
Haute |
||
Possible memory corruption and information leakage in sub-system due to lack of check for validity and boundary compliance for parameters that are read from shared MSG RAM in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 7.8 |
Haute |
||
Out of bound write and read in TA while processing command from NS side due to improper length check on command and response buffers in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music | 7.8 |
Haute |
||
Key material used for TZ diag buffer encryption and other data related to log buffer is not wiped securely due to improper usage of memset in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 6.7 |
Moyen |
||
Possible out of bound access in TA while processing a command from NS side due to improper length check of response buffer in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | 7.8 |
Haute |
||
A possible double free or invalid memory access in audio driver while reading Speaker Protection parameters in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile | 7.8 |
Haute |
||
Buffer over read can happen in video driver when playing clip with atomsize having value UINT32_MAX in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 9.8 |
Critique |
||
Buffer over-read while processing NDL attribute if attribute length is larger than expected and then FW is treating it as more number of immutable schedules in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.5 |
Haute |
||
An out of bounds read can happen when processing VSA attribute due to improper minimum required length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 9.1 |
Critique |
||
Out of bound reads might occur in while processing Service descriptor due to improper validation of length of fields in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 9.8 |
Critique |
||
Buffer over-read while parsing RPS due to lack of check of input validation on values received from user side. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 7.5 |
Haute |
||
Out of bounds reads while parsing NAN beacons attributes and OUIs due to improper length of field check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 9.8 |
Critique |
||
Possible integer overflow can occur when stream info update is called when total number of streams detected are zero while parsing TS clip with invalid data in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 9.8 |
Critique |
||
Arbitrary read and write to kernel addresses by temporarily overwriting ring buffer pointer and creating a race condition. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7 |
Haute |