CVE ID | Publié | Description | Score | Gravité |
---|---|---|---|---|
Transient DOS may occur while processing the country IE. | 7.5 |
Haute |
||
Memory corruption may occur while validating ports and channels in Audio driver. | 7.8 |
Haute |
||
Information disclosure while deriving keys for a session for any Widevine use case. | 5.5 |
Moyen |
||
Information disclosure while parsing the OCI IE with invalid length. | 8.2 |
Haute |
||
Memory corruption while configuring a Hypervisor based input virtual device. | 8.8 |
Haute |
||
Memory corruption while parsing the memory map info in IOCTL calls. | 7.8 |
Haute |
||
Information disclosure while invoking callback function of sound model driver from ADSP for every valid opcode received from sound model driver. | 6.1 |
Moyen |
||
Memory corruption while maintaining memory maps of HLOS memory. | 7.8 |
Haute |
||
Memory corruption when two threads try to map and unmap a single node simultaneously. | 8.4 |
Haute |
||
Memory corruption when user provides data for FM HCI command control operations. | 7.8 |
Haute |
||
Transient DOS while processing TIM IE from beacon frame as there is no check for IE length. | 7.5 |
Haute |
||
Memory corruption when Alternative Frequency offset value is set to 255. | 7.8 |
Haute |
||
Information disclosure in Video while parsing mp2 clip with invalid section length. | 8.2 |
Haute |
||
Cryptographic issue while performing attach with a LTE network, a rogue base station can skip the authentication phase and immediately send the Security Mode Command. | 9.1 |
Critique |
||
Memory corruption while copying a keyblob`s material when the key material`s size is not accurately checked. | 7.8 |
Haute |
||
Memory corruption in TZ Secure OS while Tunnel Invoke Manager initialization. | 9.3 |
Critique |
||
Memory corruption while playing audio file having large-sized input buffer. | 9.8 |
Critique |
||
Memory corruption when the channel ID passed by user is not validated and further used. | 7.8 |
Haute |
||
Memory corruption when the payload received from firmware is not as per the expected protocol size. | 7.8 |
Haute |
||
Memory corruption when IOMMU unmap of a GPU buffer fails in Linux. | 8.4 |
Haute |
||
Memory corruption while verifying the serialized header when the key pairs are generated. | 8.4 |
Haute |
||
Memory corruption in HLOS while checking for the storage type. | 7.8 |
Haute |
||
Transient DOS while processing IKEv2 Informational request messages, when a malformed fragment packet is received. | 7.5 |
Haute |
||
Information disclosure when the ADSP payload size received in HLOS in response to Audio Stream Manager matrix session is less than this expected size. | 6.1 |
Moyen |
||
Information disclosure while parsing dts header atom in Video. | 6.8 |
Moyen |
||
Memory corruption when multiple listeners are being registered with the same file descriptor. | 7.8 |
Haute |
||
Memory corruption while loading a VM from a signed VM image that is not coherent in the processor cache. | 8.4 |
Haute |
||
Memory corruption when there is failed unmap operation in GPU. | 8.4 |
Haute |
||
Memory corruption while processing Codec2 during v13k decoder pitch synthesis. | 9.8 |
Critique |
||
Memory corruption while processing buffer initialization, when trusted report for certain report types are generated. | 7.8 |
Haute |
||
Information disclosure when VI calibration state set by ADSP is greater than MAX_FBSP_STATE in the response payload to AFE calibration command. | 5.5 |
Moyen |
||
Transient DOS while processing DL NAS TRANSPORT message with payload length 0. | 7.5 |
Haute |
||
Transient DOS while processing SMS container of non-standard size received in DL NAS transport in NR. | 7.5 |
Haute |
||
Memory corruption while processing finish_sign command to pass a rsp buffer. | 8.4 |
Haute |
||
Memory corruption in SPS Application while requesting for public key in sorter TA. | 8.4 |
Haute |
||
Memory corruption while processing TPC target power table in FTM TPC. | 8.4 |
Haute |
||
Memory corruption while parsing qcp clip with invalid chunk data size. | 9.8 |
Critique |
||
Transient DOS while processing an improperly formatted 802.11az Fine Time Measurement protocol frame. | 7.5 |
Haute |
||
Transient DOS while processing PDU Release command with a parameter PDU ID out of range. | 7.5 |
Haute |
||
Transient DOS while processing DL NAS Transport message, as specified in 3GPP 24.501 v16. | 7.5 |
Haute |
||
Transient DOS while processing multiple payload container type with incorrect container length received in DL NAS transport OTA in NR. | 7.5 |
Haute |
||
Transient DOS while processing channel information for speaker protection v2 module in ADSP. | 5.5 |
Moyen |
||
Transient DOS while processing multiple IKEV2 Informational Request to device from IPSEC server with different identifiers. | 7.5 |
Haute |
||
Memory corruption in Audio while processing RT proxy port register driver. | 8.4 |
Haute |
||
Memory corruption in Core Services while executing the command for removing a single event listener. | 9.3 |
Critique |
||
Memory corruption in Graphics while processing user packets for command submission. | 8.4 |
Haute |
||
Transient DOS in WLAN Firmware while interpreting MBSSID IE of a received beacon frame. | 7.5 |
Haute |
||
Memory corruption in WLAN Firmware while parsing receieved GTK Keys in GTK KDE. | 9.8 |
Critique |
||
Memory corruption in WLAN HAL while parsing WMI command parameters. | 7.8 |
Haute |
||
Memory corruption in WLAN HAL while handling command through WMI interfaces. | 7.8 |
Haute |
||
In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use, another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address. | 7.8 |
Haute |
||
The buffer obtained from kernel APIs such as cam_mem_get_cpu_buf() may be readable/writable in userspace after kernel accesses it. In other words, user mode may race and modify the packet header (e.g. header.count), causing checks (e.g. size checks) in kernel code to be invalid. This may lead to out-of-bounds read/write issues. | 7 |
Haute |
||
The cam_get_device_priv function does not check the type of handle being returned (device/session/link). This would lead to invalid type usage if a wrong handle is passed to it. | 7.8 |
Haute |
||
Memory Corruption in WLAN HOST while fetching TX status information. | 7.8 |
Haute |
||
Memory Corruption in Data Modem while processing DMA buffer release event about CFR data. | 7.8 |
Haute |
||
Memory Corruption in WLAN HOST while parsing QMI WLAN Firmware response message. | 7.8 |
Haute |
||
Memory Corruption in WLAN HOST while parsing QMI response message from firmware. | 7.8 |
Haute |
||
Memory Corruption in Audio while allocating the ion buffer during the music playback. | 8.4 |
Haute |
||
Arbitrary memory overwrite when VM gets compromised in TX write leading to Memory Corruption. | 7.8 |
Haute |
||
Memory Corruption in WLAN HOST while processing WLAN FW request to allocate memory. | 7.8 |
Haute |
||
Memory corruption in Audio while running concurrent tunnel playback or during concurrent audio tunnel recording sessions. | 8.4 |
Haute |
||
Memory corruption in Video while calling APIs with different instance ID than the one received in initialization. | 7.8 |
Haute |
||
Memory corruption in Linux while calling system configuration APIs. | 7.8 |
Haute |
||
Memory Corruption in Data Network Stack & Connectivity when sim gets detected on telephony. | 7.8 |
Haute |
||
Memory Corruption in Linux while processing QcRilRequestImsRegisterMultiIdentityMessage request. | 7.8 |
Haute |
||
Weak Configuration due to improper input validation in Modem while processing LTE security mode command message received from network. | 9.8 |
Critique |
||
Memory Corruption in Modem due to double free while parsing the PKCS15 sim files. | 6.8 |
Moyen |
||
Information disclosure in DSP Services while loading dynamic module. | 6.2 |
Moyen |