Total
100
Critical
7
High
76
Medium
17
CISA KEV
0
Transient DOS when a remote device sends an invalid connection request during BT connectable LE scan.
Memory corruption while processing a malformed license file during reboot.
Memory corruption during PlayReady APP usecase while processing TA commands.
Transient DOS while parsing the EPTM test control message to get the test pattern.
Memory corruption while performing private key encryption in trusted application.
Transient DOS while processing an ANQP message.
Information disclosure while processing the hash segment in an MBN file.
Information disclosure while reading data from an image using specified offset and size parameters.
Transient DOS when importing a PKCS#8-encoded RSA private key with a zero-sized modulus.
Memory corruption while retrieving the CBOR data from TA.
Memory corruption while reading secure file.
Memory corruption may occur while reading board data via IOCTL call when the WLAN driver copies the content to the provided output buffer.
Memory corruption while IOCTL call is invoked from user-space to read board data.
Cryptographic issue occurs during PIN/password verification using Gatekeeper, where RPMB writes can be dropped on verification failure, potentially leading to a user throttling bypass.
There may be information disclosure during memory re-allocation in TZ Secure OS.
Information disclosure while deriving keys for a session for any Widevine use case.
Memory corruption when IOCTL call is invoked from user-space to write board data to WLAN driver.
Memory corruption when IOCTL call is invoked from user-space to read board data.
Memory corruption while invoking IOCTL calls from user space to issue factory test command inside WLAN driver.
Cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions.
Transient DOS while processing TIM IE from beacon frame as there is no check for IE length.
memory corruption when an invalid firehose patch command is invoked.
Cryptographic issue while parsing RSA keys in COBR format.
Transient DOS while importing a PKCS#8-encoded RSA key with zero bytes modulus.
Memory corruption during session sign renewal request calls in HLOS.
Memory corruption when an invoke call and a TEE call are bound for the same trusted application.
Memory corruption while processing key blob passed by the user.
Transient DOS while loading the TA ELF file.
Memory corruption while performing finish HMAC operation when context is freed by keymaster.
Memory corruption while copying a keyblob`s material when the key material`s size is not accurately checked.
Memory corruption while processing finish_sign command to pass a rsp buffer.
Memory corruption in SPS Application while requesting for public key in sorter TA.
Memory corruption while parsing qcp clip with invalid chunk data size.
Transient DOS while parse fils IE with length equal to 1.
Memory corruption in video while parsing the Videoinfo, when the size of atom is greater than the videoinfo size.
Memory corruption in video while parsing invalid mp2 clip.
Memory corruption in Core while processing control functions.
Transient DOS while parsing GATT service data when the total amount of memory that is required by the multiple services is greater than the actual size of the services buffer.
Transient DOS while parsing IPv6 extension header when WLAN firmware receives an IPv6 packet that contains `IPPROTO_NONE` as the next header.
Transient DOS while processing a WMI P2P listen start command (0xD00A) sent from host.
Transient DOS in WLAN Firmware while parsing a BTM request.
Memory corruption in HLOS while running playready use-case.
Transient DOS while parsing WPA IES, when it is passed with length more than expected size.
Memory corruption when processing cmd parameters while parsing vdev.
Transient DOS while parsing a vender specific IE (Information Element) of reassociation response management frame.
Memory corruption in HLOS while invoking IOCTL calls from user-space.
Memory corruption in Boot while running a ListVars test in UEFI Menu during boot.
Transient DOS in Bluetooth Host while rfc slot allocation.
Memory corruption in BT controller while parsing debug commands with specific sub-opcodes at HCI interface level.
Information disclosure when the trusted application metadata symbol addresses are accessed while loading an ELF in TEE.
Memory corruption while loading an ELF segment in TEE Kernel.
Memory corruption in MPP performance while accessing DSM watermark using external memory address.
Memory Corruption in SPS Application while exporting public key in sorter TA.
Information disclosure in WLAN HAL while handling command through WMI interfaces.
Information disclosure in WLAN HAL while handling the WMI state info command.
Information disclosure in IOE Firmware while handling WMI command.
Cryptographic issue in HLOS during key management.
Memory corruption in TZ Secure OS while loading an app ELF.
Memory Corruption in Core due to secure memory access by user while loading modem image.
Transient DOS in WLAN Firmware while parsing rsn ies.
Memory Corruption in HLOS while importing a cryptographic key into KeyMaster Trusted Application.
Transient DOS in Modem while allocating DSM items.
Transient DOS in WLAN Firmware while interpreting MBSSID IE of a received beacon frame.
Memory corruption in WLAN HAL while handling command through WMI interfaces.
Memory corruption in WLAN HAL while handling command streams through WMI interfaces.
Memory corruption in WLAN HAL while passing command parameters through WMI interfaces.
Memory corruption while handling payloads from remote ESL.
Memory corruption in WLAN HAL while processing devIndex from untrusted WMI payload.
Memory corruption in WLAN FW while processing command parameters from untrusted WMI payload.
Memory corruption in WLAN handler while processing PhyID in Tx status handler.
Memory corruption in WLAN HAL while processing command parameters from untrusted WMI payload.
Memory corruption in WLAN while sending transmit command from HLOS to UTF handlers.
Memory corruption in WIN Product while invoking WinAcpi update driver in the UEFI region.
Memory corruption in QESL while processing payload from external ESL device to firmware.
Cryptographic issue in HLOS as derived keys used to encrypt/decrypt information is present on stack after use.
Memory Corruption in Core due to incorrect type conversion or cast in secure_io_read/write function in TEE.
Cryptographic issue in HLOS due to improper authentication while performing key velocity checks using more than one key.
Memory Corruption in Data Modem while processing DMA buffer release event about CFR data.
Memory corruption in WLAN HAL while processing WMI-UTF command or FTM TLV1 command.
Information disclosure in Kernel due to indirect branch misprediction.
Memory corruption due to double free in Core while mapping HLOS address to the list.
information disclosure due to cryptographic issue in Core during RPMB read request.
Memory corruption due to integer overflow or wraparound in WLAN while sending WMI cmd from host to target.
Information disclosure due to buffer over-read in Bluetooth Host while A2DP streaming.
Memory corruption due to double free in core while initializing the encryption key.
Memory corruption in Bluetooth HOST while processing the AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT AVRCP response.
Memory corruption in WLAN due to incorrect type cast while sending WMI_SCAN_SCH_PRIO_TBL_CMDID message.
Memory corruption in WLAN due to integer overflow to buffer overflow in WLAN during initialization phase.
Memory corruption in Video due to double free while playing 3gp clip with invalid metadata atoms.
Memory corruption due to buffer copy without checking the size of input in HLOS when input message size is larger than the buffer capacity.
Memory corruption in Core due to time-of-check time-of-use race condition during dump collection in trust zone.
Memory corruption in WLAN due to use after free
Information Disclosure in Graphics during GPU context switch.
Transient DOS in WLAN Firmware due to buffer over-read while processing probe response or beacon.
Memory corruption in modem due to buffer copy without checking size of input while receiving WMI command.
Information disclosure due to buffer over-read in WLAN while parsing NMF frame.
Information disclosure due to buffer overread in Core
Information disclosure due to buffer overread in Core
Memory corruption in core due to stack-based buffer overflow
Memory corruption in Core due to stack-based buffer overflow.
