Total
100
Critical
4
High
67
Medium
29
CISA KEV
1
Memory Corruption when copying data from a freed source while executing performance counter deselect operation.
Memory corruption when dynamically changing the size of a previously allocated buffer while its contents are being modified.
Memory corruption while using alignments for memory allocation.
Memory Corruption while invoking IOCTL calls when concurrent access to shared buffer occurs.
Memory Corruption when accessing trusted execution environment without proper privilege check.
Weak configuration may lead to cryptographic issue when a VoWiFi call is triggered from UE.
Memory Corruption while processing IOCTL calls when concurrent access to shared buffer occurs.
Memory Corruption when concurrent access to shared buffer occurs due to improper synchronization between assignment and deallocation of buffer resources.
Memory Corruption when accessing a buffer after it has been freed while processing IOCTL calls.
Memory Corruption when concurrent access to shared buffer occurs during IOCTL calls.
Memory corruption while handling different IOCTL calls from the user-space simultaneously.
Memory corruption while handling buffer mapping operations in the cryptographic driver.
Information disclosure while processing a firmware event.
Transient DOS while parsing video packets received from the video firmware.
Memory corruption while loading an invalid firmware in boot loader.
Memory corruption while processing MFC channel configuration during music playback.
Information disclosure while registering commands from clients with diag through diagHal.
Memory corruption during PlayReady APP usecase while processing TA commands.
Transient DOS while processing video packets received from video firmware.
information disclosure while invoking calibration data from user space to update firmware size.
Information disclosure while capturing logs as eSE debug messages are logged.
Memory corruption whhile handling the subsystem failure memory during the parsing of video packets received from the video firmware.
Memory corruption while processing data packets in diag received from Unix clients.
Memory corruption while processing manipulated payload in video firmware.
Memory corruption while processing video packets received from video firmware.
Memory corruption may occur while processing voice call registration with user.
Memory corruption while processing a data structure, when an iterator is accessed after it has been removed, potential failures occur.
Memory corruption while processing an IOCTL call to set mixer controls.
Memory corruption while sound model registration for voice activation with audio kernel driver.
Memory corruption during concurrent access to server info object due to incorrect reference count update.
Memory corruption during concurrent access to server info object due to unprotected critical field.
Transient DOS while connecting STA to AP and initiating ADD TS request from AP to establish TSpec session.
Memory corruption occurs while connecting a STA to an AP and initiating an ADD TS request.
Memory corruption occurs while connecting a STA to an AP and initiating an ADD TS request from the AP to establish a TSpec session.
Memory corruption while processing IOCTL calls to add route entry in the HW.
Memory corruption while accessing MSM channel map and mixer functions.
Memory corruption while invoking IOCTL map buffer request from userspace.
Transient DOS may occur while processing the country IE.
Memory corruption may occur while validating ports and channels in Audio driver.
Memory corruption during voice activation, when sound model parameters are loaded from HLOS, and the received sound model list is empty in HLOS drive.
Memory corruption during voice activation, when sound model parameters are loaded from HLOS to ADSP.
Memory corruption while processing command in Glink linux.
While processing the authentication message in UE, improper authentication may lead to information disclosure.
Information disclosure while parsing the OCI IE with invalid length.
Information disclosure while processing IO control commands.
Information disclosure during audio playback.
Information disclosure while invoking callback function of sound model driver from ADSP for every valid opcode received from sound model driver.
Memory corruption while processing GPU page table switch.
Memory corruption while processing voice packet with arbitrary data received from ADSP.
Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node.
Memory corruption while parsing IPC frequency table parameters for LPLH that has size greater than expected size.
Transient DOS while parsing noninheritance IE of Extension element when length of IE is 2 of beacon frame.
Memory corruption is possible when an attempt is made from userspace or console to write some haptics effects pattern to the haptics debugfs file.
Memory corruption when a process invokes IOCTL calls from user-space to create a HAB virtual channel and another process invokes IOCTL calls to destroy the same.
Transient DOS while processing TIM IE from beacon frame as there is no check for IE length.
Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper.
Memory corruption when BTFM client sends new messages over Slimbus to ADSP.
Information disclosure while decoding Tracking Area Update Accept or Attach Accept message received from network.
Memory corruption as fence object may still be accessed in timeline destruct after isync fence is released.
Memory corruption while allocating memory in HGSL driver.
Memory corruption while processing IOCTL call to set metainfo.
Transient DOS while parsing ESP IE from beacon/probe response frame.
Transient DOS when driver accesses the ML IE memory and offset value is incremented beyond ML IE length.
Transient DOS while parsing the multiple MBSSID IEs from the beacon, when the tag length is non-zero value but with end of beacon.
Transient DOS while parsing the MBSSID IE from the beacons, when the MBSSID IE length is zero.
Transient DOS while parsing fragments of MBSSID IE from beacon frame.
Transient DOS while decoding attach reject message received by UE, when IEI is set to ESM_IEI.
Transient DOS during music playback of ALAC content.
Memory corruption when allocating and accessing an entry in an SMEM partition.
Cryptographic issue while performing attach with a LTE network, a rogue base station can skip the authentication phase and immediately send the Security Mode Command.
Memory corruption when the payload received from firmware is not as per the expected protocol size.
Information disclosure when the ADSP payload size received in HLOS in response to Audio Stream Manager matrix session is less than this expected size.
Memory corruption when the bandpass filter order received from AHAL is not within the expected range.
Memory corruption when there is failed unmap operation in GPU.
Information disclosure when VI calibration state set by ADSP is greater than MAX_FBSP_STATE in the response payload to AFE calibration command.
Memory corruption in Audio while processing RT proxy port register driver.
Memory corruption in Audio while processing the calibration data returned from ACDB loader.
Memory corruption in Audio while processing IIR config data from AFE calibration block.
Memory corruption in Audio while calling START command on host voice PCM multiple times for the same RX or TX tap points.
Transient DOS while parsing IPv6 extension header when WLAN firmware receives an IPv6 packet that contains `IPPROTO_NONE` as the next header.
Memory corruption in Audio when memory map command is executed consecutively in ADSP.
Memory corruption in Audio during playback with speaker protection.
Memory corruption in HLOS while running playready use-case.
Transient DOS while parsing a vender specific IE (Information Element) of reassociation response management frame.
Memory corruption while using the UIM diag command to get the operators name.
Memory corruption in Boot while running a ListVars test in UEFI Menu during boot.
Information disclosure when the trusted application metadata symbol addresses are accessed while loading an ELF in TEE.
Memory corruption in UTILS when modem processes memory specific Diag commands having arbitrary address values as input arguments.
Memory corruption in MPP performance while accessing DSM watermark using external memory address.
Memory corruption in Audio while processing the VOC packet data from ADSP.
Memory Corruption in Multi-mode Call Processor while processing bit mask API.
Information Disclosure in data Modem while parsing an FMTP line in an SDP message.
Information Disclosure in Data Modem while performing a VoLTE call with an undefined RTCP FB line value.
Memory Corruption in Data Modem while making a MO call or MT VOLTE call.
Transient DOS in WLAN Host when an invalid channel (like channel out of range) is received in STA during CSA IE.
Transient DOS in WLAN Host while doing channel switch announcement (CSA), when a mobile station receives invalid channel in CSA IE.
Memory corruption in WLAN HAL while handling command streams through WMI interfaces.
Cryptographic issue in HLOS due to improper authentication while performing key velocity checks using more than one key.
Memory corruption due to buffer copy without checking size of input in Audio while voice call with EVS vocoder.
Memory Corruption in WLAN HOST while fetching TX status information.
