CPE Details
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
CPE Name: cpe:2.3:h:qualcomm:qca6678aq:-:*:*:*:*:*:*:*
Informations
Vendor
qualcommProduct
qca6678aqVersion
-Related CVE
| CVE ID | Publié | Description | Score | Gravité |
|---|---|---|---|---|
| Memory corruption while processing input message passed from FE driver. | 7.8 |
Haute |
||
| Transient DOS may occur while processing the country IE. | 7.5 |
Haute |
||
| Memory corruption in display driver while detaching a device. | 7.8 |
Haute |
||
| Memory corruption may occur while accessing a variable during extended back to back tests. | 7.8 |
Haute |
||
| Memory corruption may occur while validating ports and channels in Audio driver. | 7.8 |
Haute |
||
| Information disclosure while deriving keys for a session for any Widevine use case. | 5.5 |
Moyen |
||
| Memory corruption during management frame processing due to mismatch in T2LM info element. | 9.8 |
Critique |
||
| Information disclosure while parsing the OCI IE with invalid length. | 8.2 |
Haute |
||
| Memory corruption while power-up or power-down sequence of the camera sensor. | 7.8 |
Haute |
||
| Memory corruption can occur in the camera when an invalid CID is used. | 7.8 |
Haute |
||
| Memory corruption can occur when a compat IOCTL call is followed by a normal IOCTL call from userspace. | 7.8 |
Haute |
||
| Memory corruption may occour occur when stopping the WLAN interface after processing a WMI command from the interface. | 7.8 |
Haute |
||
| Memory corruption while parsing the ML IE due to invalid frame content. | 9.8 |
Critique |
||
| Memory corruption while configuring a Hypervisor based input virtual device. | 8.8 |
Haute |
||
| Transient DOS can occur when the driver parses the per STA profile IE and tries to access the EXTN element ID without checking the IE length. | 7.5 |
Haute |
||
| Transient DOS while parsing the ML IE when a beacon with common info length of the ML IE greater than the ML IE inside which this element is present. | 7.5 |
Haute |
||
| Memory corruption when allocating and accessing an entry in an SMEM partition continuously. | 8.4 |
Haute |
||
| Memory corruption while Configuring the SMR/S2CR register in Bypass mode. | 8.4 |
Haute |
||
| Memory corruption while invoking redundant release command to release one buffer from user space as race condition can occur in kernel space between buffer release and buffer access. | 7 |
Haute |
||
| Memory corruption while processing voice packet with arbitrary data received from ADSP. | 7.8 |
Haute |
||
| Memory corruption while processing GPU commands. | 7.8 |
Haute |
||
| Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node. | 7.8 |
Haute |
||
| Cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions. | 9.1 |
Critique |
||
| Transient DOS while processing the CU information from RNR IE. | 7.5 |
Haute |
||
| Transient DOS while parsing fragments of MBSSID IE from beacon frame. | 7.5 |
Haute |
||
| Transient DOS while parsing probe response and assoc response frame. | 7.5 |
Haute |
||
| Information disclosure while parsing the BSS parameter change count or MLD capabilities fields of the ML IE. | 8.2 |
Haute |
||
| Transient DOS when transmission of management frame sent by host is not successful and error status is received in the host. | 7.5 |
Haute |
||
| Transient DOS while parsing noninheritance IE of Extension element when length of IE is 2 of beacon frame. | 7.5 |
Haute |
||
| Memory corruption when invalid length is provided from HLOS for FRS/UDS request/response buffers. | 7.8 |
Haute |
||
| Memory corruption while processing IOCTL call for getting group info. | 7.8 |
Haute |
||
| Memory corruption when two threads try to map and unmap a single node simultaneously. | 8.4 |
Haute |
||
| Transient DOS while parsing the multi-link element Control field when common information length check is missing before updating the location. | 7.5 |
Haute |
||
| Transient DOS while processing TIM IE from beacon frame as there is no check for IE length. | 7.5 |
Haute |
||
| Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper. | 7.5 |
Haute |
||
| Transient DOS while parsing the received TID-to-link mapping element of beacon/probe response frame. | 7.5 |
Haute |
||
| Memory corruption when BTFM client sends new messages over Slimbus to ADSP. | 8.4 |
Haute |
||
| Memory corruption can occur if VBOs hold outdated or invalid GPU SMMU mappings, especially when the binding and reclaiming of memory buffers are performed at the same time. | 8.4 |
Haute |
||
| Memory corruption as fence object may still be accessed in timeline destruct after isync fence is released. | 8.4 |
Haute |
||
| Transient DOS while parsing probe response and assoc response frame when received frame length is less than max size of timestamp. | 7.5 |
Haute |
||
| Transient DOS while parsing the BSS parameter change count or MLD capabilities fields of the ML IE. | 7.5 |
Haute |
||
| Transient DOS while parsing the ML IE when a beacon with length field inside the common info of ML IE greater than the ML IE length. | 7.5 |
Haute |
||
| Memory corruption while creating a fence to wait on timeline events, and simultaneously signal timeline events. | 8.4 |
Haute |
||
| Memory corruption while processing IOCTL call to set metainfo. | 8.4 |
Haute |
||
| Transient DOS while processing TID-to-link mapping IE elements. | 7.5 |
Haute |
||
| Transient DOS while parsing the received TID-to-link mapping action frame. | 7.5 |
Haute |
||
| Transient DOS while parsing the received TID-to-link mapping element of the TID-to-link mapping action frame. | 7.5 |
Haute |
||
| Transient DOS while parsing SCAN RNR IE when bytes received from AP is such that the size of the last param of IE is less than neighbor report. | 7.5 |
Haute |
||
| Transient DOS while parsing ESP IE from beacon/probe response frame. | 7.5 |
Haute |
||
| Transient DOS when driver accesses the ML IE memory and offset value is incremented beyond ML IE length. | 7.5 |
Haute |
||
| Transient DOS while parsing the multiple MBSSID IEs from the beacon, when the tag length is non-zero value but with end of beacon. | 7.5 |
Haute |
||
| Transient DOS while parsing the MBSSID IE from the beacons, when the MBSSID IE length is zero. | 7.5 |
Haute |
||
| Transient DOS while parsing fragments of MBSSID IE from beacon frame. | 7.5 |
Haute |
||
| Memory corruption when the mapped pages in VBO are still mapped after reclaiming by shrinker. | 8.4 |
Haute |
||
| Memory corruption when kernel driver attempts to trigger hardware fences. | 8.4 |
Haute |
||
| Memory corruption while processing graphics kernel driver request to create DMA fence. | 8.4 |
Haute |
||
| Memory corruption when memory mapped in a VBO is not unmapped by the GPU SMMU. | 8.4 |
Haute |
||
| Transient DOS while importing a PKCS#8-encoded RSA key with zero bytes modulus. | 6.2 |
Moyen |
||
| Memory corruption during session sign renewal request calls in HLOS. | 7.8 |
Haute |
||
| Memory corruption when keymaster operation imports a shared key. | 7.8 |
Haute |
||
| Memory corruption when preparing a shared memory notification for a memparcel in Resource Manager. | 8.4 |
Haute |
||
| Information disclosure while handling beacon probe frame during scan entry generation in client side. | 7.5 |
Haute |
||
| Information disclosure while handling beacon or probe response frame in STA. | 7.5 |
Haute |
||
| Memory corruption while handling user packets during VBO bind operation. | 8.4 |
Haute |
||
| Memory corruption when IOMMU unmap operation fails, the DMA and anon buffers are getting released. | 8.4 |
Haute |
||
| Memory corruption while invoking IOCTL call for GPU memory allocation and size param is greater than expected size. | 8.4 |
Haute |
||
| Memory corruption when allocating and accessing an entry in an SMEM partition. | 7.8 |
Haute |
||
| Memory corruption when an invoke call and a TEE call are bound for the same trusted application. | 7.8 |
Haute |
||
| Information disclosure while parsing sub-IE length during new IE generation. | 7.5 |
Haute |
||
| Memory corruption while processing key blob passed by the user. | 7.8 |
Haute |
||
| Transient DOS while loading the TA ELF file. | 7.1 |
Haute |
||
| Memory corruption while performing finish HMAC operation when context is freed by keymaster. | 8.4 |
Haute |
||
| Information disclosure while handling SA query action frame. | 7.5 |
Haute |
||
| INformation disclosure while handling Multi-link IE in beacon frame. | 7.5 |
Haute |
||
| Information Disclosure while parsing beacon frame in STA. | 9.1 |
Critique |
||
| Memory corruption as GPU registers beyond the last protected range can be accessed through LPAC submissions. | 8.4 |
Haute |
||
| Memory corruption while playing audio file having large-sized input buffer. | 9.8 |
Critique |
||
| Memory corruption when the payload received from firmware is not as per the expected protocol size. | 7.8 |
Haute |
||
| Memory corruption when IOMMU unmap of a GPU buffer fails in Linux. | 8.4 |
Haute |
||
| Memory corruption while verifying the serialized header when the key pairs are generated. | 8.4 |
Haute |
||
| Memory corruption in HLOS while checking for the storage type. | 7.8 |
Haute |
||
| Memory corruption while loading a VM from a signed VM image that is not coherent in the processor cache. | 8.4 |
Haute |
||
| Memory corruption while processing Codec2 during v13k decoder pitch synthesis. | 9.8 |
Critique |
||
| Memory corruption while processing buffer initialization, when trusted report for certain report types are generated. | 7.8 |
Haute |
||
| Memory corruption while processing finish_sign command to pass a rsp buffer. | 8.4 |
Haute |
||
| Memory corruption in SPS Application while requesting for public key in sorter TA. | 8.4 |
Haute |
||
| Memory corruption while parsing beacon/probe response frame when AP sends more supported links in MLIE. | 9.8 |
Critique |
||
| Memory corruption while processing MBSSID beacon containing several subelement IE. | 9.8 |
Critique |
||
| Memory corruption while parsing qcp clip with invalid chunk data size. | 9.8 |
Critique |
||
| Memory corruption while invoking IOCTLs calls in Automotive Multimedia. | 8.4 |
Haute |
||
| Memory corruption while invoking HGSL IOCTL context create. | 8.4 |
Haute |
||
| Memory corruption in Core Services while executing the command for removing a single event listener. | 9.3 |
Critique |
||
| Transient DOS while parse fils IE with length equal to 1. | 7.5 |
Haute |
||
| Transient DOS in WLAN Firmware when the length of received beacon is less than length of ieee802.11 beacon frame. | 7.5 |
Haute |
||
| Transient DOS while key unwrapping process, when the given encrypted key is empty or NULL. | 7.5 |
Haute |
||
| Transient DOS while parsing IPv6 extension header when WLAN firmware receives an IPv6 packet that contains `IPPROTO_NONE` as the next header. | 7.5 |
Haute |
||
| Transient DOS while processing a WMI P2P listen start command (0xD00A) sent from host. | 7.5 |
Haute |
||
| Transient DOS in WLAN Firmware while parsing a BTM request. | 7.5 |
Haute |
||
| Transient DOS while parsing WPA IES, when it is passed with length more than expected size. | 7.5 |
Haute |
||
| Transient DOS when processing a NULL buffer while parsing WLAN vdev. | 7.5 |
Haute |
||
| Memory corruption when processing cmd parameters while parsing vdev. | 8.4 |
Haute |
||
| Transient DOS while parsing a vender specific IE (Information Element) of reassociation response management frame. | 7.5 |
Haute |
||
| Memory corruption in BT controller while parsing debug commands with specific sub-opcodes at HCI interface level. | 7.8 |
Haute |
||
| Memory corruption in MPP performance while accessing DSM watermark using external memory address. | 7.8 |
Haute |
||
| Transient DOS in WLAN Firmware while parsing no-inherit IES. | 7.5 |
Haute |
||
| Memory corruption in WLAN HOST while processing the WLAN scan descriptor list. | 8.8 |
Haute |
||
| Information Disclosure in WLAN Host when processing WMI event command. | 6.1 |
Moyen |
||
| Memory corruption in WLAN Firmware while doing a memory copy of pmk cache. | 9.8 |
Critique |
||
| Transient DOS in WLAN Firmware while parsing rsn ies. | 7.5 |
Haute |
||
| Transient DOS in WLAN Firmware while parsing a NAN management frame. | 7.5 |
Haute |
||
| Information disclosure in WLAN HOST while processing the WLAN scan descriptor list during roaming scan. | 6.1 |
Moyen |
||
| Memory corruption in WLAN Host when the firmware invokes multiple WMI Service Available command. | 7.8 |
Haute |
||
| Transient DOS in WLAN Firmware while interpreting MBSSID IE of a received beacon frame. | 7.5 |
Haute |
||
| Memory corruption in WLAN HAL while parsing WMI command parameters. | 7.8 |
Haute |
||
| Memory corruption in WLAN HAL while handling command through WMI interfaces. | 7.8 |
Haute |
||
| Memory corruption in WLAN handler while processing PhyID in Tx status handler. | 7.8 |
Haute |
||
| Memory corruption in WLAN HAL while processing command parameters from untrusted WMI payload. | 7.8 |
Haute |
||
| Memory corruption in WLAN HAL while parsing Rx buffer in processing TLV payload. | 7.8 |
Haute |
||
| Memory corruption in WLAN HAL while processing Tx/Rx commands from QDART. | 7.8 |
Haute |
||
| Memory corruption due to improper validation of array index in WLAN HAL when received lm_itemNum is out of range. | 8.4 |
Haute |
||
| Memory Corruption in Data Modem while processing DMA buffer release event about CFR data. | 7.8 |
Haute |
||
| Transient DOS in WLAN Firmware while processing frames with missing header fields. | 7.5 |
Haute |
||
| Transient DOS in WLAN Firmware while processing the received beacon or probe response frame. | 7.5 |
Haute |
||
| Memory corruption in WLAN HOST while receiving an WMI event from firmware. | 7.8 |
Haute |
||
| Memory corruption due to integer overflow or wraparound in WLAN while sending WMI cmd from host to target. | 8.4 |
Haute |
||
| Memory corruption in WLAN due to incorrect type cast while sending WMI_SCAN_SCH_PRIO_TBL_CMDID message. | 8.4 |
Haute |
||
| Memory corruption in WLAN due to integer overflow to buffer overflow in WLAN during initialization phase. | 8.4 |
Haute |
||
| Memory corruption due to buffer copy without checking the size of input in WLAN Firmware while processing CCKM IE in reassoc response frame. | 9.8 |
Critique |
||
| Transient DOS in WLAN Firmware due to buffer over-read while processing probe response or beacon. | 7.5 |
Haute |
||
| Transient DOS due to buffer over-read in WLAN Host while parsing frame information. | 7.5 |
Haute |
||
| Transient DOS due to buffer over-read in WLAN while processing an incoming management frame with incorrectly filled IEs. | 7.5 |
Haute |
||
| Memory corruption in modem due to buffer copy without checking size of input while receiving WMI command. | 8.4 |
Haute |
||
| Information disclosure due to buffer over-read in WLAN while parsing NMF frame. | 8.2 |
Haute |
