sd460 firmware (qualcomm) — Vulnerabilities

Memory corruption when an invoke call and a TEE call are bound for the same trusted application.

CVE-2024-21465HIGH 7.8

Memory corruption while processing key blob passed by the user.

CVE-2024-21462HIGH 7.1

Transient DOS while loading the TA ELF file.

CVE-2024-21461HIGH 8.4

CVE-2023-28578CRITICAL 9.3

Memory corruption while performing finish HMAC operation when context is freed by keymaster.

CVE-2023-43542HIGH 7.8

Jun 3, 2024

Memory corruption while copying a keyblob`s material when the key material`s size is not accurately checked.

CVE-2024-21477HIGH 7.5

May 6, 2024

Transient DOS while parsing a protected 802.11az Fine Time Measurement (FTM) frame.

CVE-2023-33023HIGH 8.4

Apr 1, 2024

Memory corruption while processing finish_sign command to pass a rsp buffer.

CVE-2023-28547HIGH 8.4

Apr 1, 2024

Memory corruption in SPS Application while requesting for public key in sorter TA.

CVE-2023-33066HIGH 8.4

Mar 4, 2024

Memory corruption in Audio while processing RT proxy port register driver.

Mar 4, 2024

Memory corruption in Core Services while executing the command for removing a single event listener.

CVE-2023-43536HIGH 7.5

Transient DOS while parse fils IE with length equal to 1.

CVE-2023-43533HIGH 7.5

Transient DOS in WLAN Firmware when the length of received beacon is less than length of ieee802.11 beacon frame.

CVE-2023-43522HIGH 7.5

CVE-2023-33072CRITICAL 9.3

Transient DOS while key unwrapping process, when the given encrypted key is empty or NULL.

Memory corruption in Core while processing control functions.

CVE-2023-43511HIGH 7.5

Transient DOS while parsing IPv6 extension header when WLAN firmware receives an IPv6 packet that contains `IPPROTO_NONE` as the next header.

CVE-2023-33109HIGH 7.5

Transient DOS while processing a WMI P2P listen start command (0xD00A) sent from host.

CVE-2023-33062HIGH 7.5

Transient DOS in WLAN Firmware while parsing a BTM request.

CVE-2023-33040HIGH 7.5

Transient DOS in Data Modem during DTLS handshake.

CVE-2023-33038MEDIUM 6.7

Memory corruption while receiving a message in Bus Socket Transport Server.

CVE-2023-33033HIGH 8.4

CVE-2023-33030CRITICAL 9.3

Memory corruption in Audio during playback with speaker protection.

Memory corruption in HLOS while running playready use-case.

CVE-2023-33088HIGH 8.4

Memory corruption when processing cmd parameters while parsing vdev.

CVE-2023-33080HIGH 7.5

Transient DOS while parsing a vender specific IE (Information Element) of reassociation response management frame.

CVE-2023-33018HIGH 7.8

Memory corruption while using the UIM diag command to get the operators name.

CVE-2023-33017HIGH 7.8

Memory corruption in Boot while running a ListVars test in UEFI Menu during boot.

CVE-2023-28586MEDIUM 6.0

Information disclosure when the trusted application metadata symbol addresses are accessed while loading an ELF in TEE.

CVE-2023-28585HIGH 8.2

Memory corruption while loading an ELF segment in TEE Kernel.

CVE-2023-28551HIGH 7.8

Memory corruption in UTILS when modem processes memory specific Diag commands having arbitrary address values as input arguments.

CVE-2023-28550HIGH 7.8

Memory corruption in MPP performance while accessing DSM watermark using external memory address.

CVE-2023-28546HIGH 7.8

Memory Corruption in SPS Application while exporting public key in sorter TA.

CVE-2023-28569MEDIUM 6.1

Information disclosure in WLAN HAL while handling command through WMI interfaces.

CVE-2023-28568MEDIUM 6.1

Information disclosure in WLAN HAL when reception status handler is called.

CVE-2023-28566MEDIUM 6.1

Information disclosure in WLAN HAL while handling the WMI state info command.

CVE-2023-28563MEDIUM 6.1

Information disclosure in IOE Firmware while handling WMI command.

CVE-2023-28556HIGH 7.1

Cryptographic issue in HLOS during key management.

CVE-2023-28545HIGH 8.2

Memory corruption in TZ Secure OS while loading an app ELF.

CVE-2023-24852HIGH 8.4

CVE-2023-22388CRITICAL 9.8

Memory Corruption in Core due to secure memory access by user while loading modem image.

Memory Corruption in Multi-mode Call Processor while processing bit mask API.

CVE-2023-33027HIGH 7.5

CVE-2023-28540CRITICAL 9.1

Transient DOS in WLAN Firmware while parsing rsn ies.

Cryptographic issue in Data Modem due to improper authentication during TLS handshake.

CVE-2023-24849HIGH 8.2

Information Disclosure in data Modem while parsing an FMTP line in an SDP message.

CVE-2023-24848HIGH 8.2

Information Disclosure in Data Modem while performing a VoLTE call with an undefined RTCP FB line value.

CVE-2023-24847HIGH 7.5

Transient DOS in Modem while allocating DSM items.

CVE-2023-22385HIGH 8.2

Memory Corruption in Data Modem while making a MO call or MT VOLTE call.

CVE-2023-28567HIGH 7.8

Memory corruption in WLAN HAL while handling command through WMI interfaces.

CVE-2023-28565HIGH 7.8

Memory corruption in WLAN HAL while handling command streams through WMI interfaces.

CVE-2023-28564HIGH 7.8

CVE-2023-28562CRITICAL 9.8

Memory corruption in WLAN HAL while passing command parameters through WMI interfaces.

Memory corruption while handling payloads from remote ESL.

CVE-2023-28560HIGH 7.8

Memory corruption in WLAN HAL while processing devIndex from untrusted WMI payload.

CVE-2023-28559HIGH 7.8

Memory corruption in WLAN FW while processing command parameters from untrusted WMI payload.

CVE-2023-28558HIGH 7.8

Memory corruption in WLAN handler while processing PhyID in Tx status handler.

CVE-2023-28557HIGH 7.8

Memory corruption in WLAN HAL while processing command parameters from untrusted WMI payload.

CVE-2023-28544HIGH 7.8

Memory corruption in WLAN while sending transmit command from HLOS to UTF handlers.

CVE-2023-28538HIGH 8.4

Memory corruption in WIN Product while invoking WinAcpi update driver in the UEFI region.

CVE-2022-33275HIGH 8.4

Memory corruption due to improper validation of array index in WLAN HAL when received lm_itemNum is out of range.

CVE-2023-28537HIGH 8.4

Memory corruption while allocating memory in COmxApeDec module in Audio.

CVE-2023-22666HIGH 8.4

Memory Corruption in Audio while playing amrwbplus clips with modified content.

CVE-2023-21652HIGH 7.7

CVE-2023-21651CRITICAL 9.3

Cryptographic issue in HLOS as derived keys used to encrypt/decrypt information is present on stack after use.

Memory Corruption in Core due to incorrect type conversion or cast in secure_io_read/write function in TEE.

CVE-2023-21626HIGH 7.1

CVE-2022-40510CRITICAL 9.8

Cryptographic issue in HLOS due to improper authentication while performing key velocity checks using more than one key.

Memory corruption due to buffer copy without checking size of input in Audio while voice call with EVS vocoder.

CVE-2023-21629MEDIUM 6.8

Jul 4, 2023

Memory Corruption in Modem due to double free while parsing the PKCS15 sim files.

CVE-2023-21659HIGH 7.5

Transient DOS in WLAN Firmware while processing frames with missing header fields.

CVE-2023-21628HIGH 8.4

Memory corruption in WLAN HAL while processing WMI-UTF command or FTM TLV1 command.

CVE-2022-40533MEDIUM 6.2

Transient DOS due to untrusted Pointer Dereference in core while sending USB QMI request.

CVE-2022-40529HIGH 7.1

Memory corruption due to improper access control in kernel while processing a mapping request from root process.

CVE-2022-40523HIGH 7.1

Information disclosure in Kernel due to indirect branch misprediction.

CVE-2022-40521HIGH 7.5

Transient DOS due to improper authorization in Modem

CVE-2022-40507HIGH 8.4

Memory corruption due to double free in Core while mapping HLOS address to the list.

CVE-2022-33264HIGH 7.9

Memory corruption in modem due to stack based buffer overflow while parsing OTASP Key Generation Request Message.

CVE-2022-22076HIGH 7.1

information disclosure due to cryptographic issue in Core during RPMB read request.

CVE-2022-40504HIGH 7.5

May 2, 2023

Transient DOS due to reachable assertion in Modem when UE received Downlink Data Indication message from the network.

CVE-2022-40532HIGH 8.4

Memory corruption due to integer overflow or wraparound in WLAN while sending WMI cmd from host to target.

CVE-2022-33302MEDIUM 6.8

Memory corruption due to improper validation of array index in User Identity Module when APN TLV length is greater than command length.

CVE-2022-33289MEDIUM 6.8

CVE-2022-33231CRITICAL 9.3

Memory corruption occurs in Modem due to improper validation of array index when malformed APDU is sent from card.

Memory corruption due to double free in core while initializing the encryption key.

CVE-2022-40537HIGH 7.3

Memory corruption in Bluetooth HOST while processing the AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT AVRCP response.

CVE-2022-40535HIGH 7.5

Transient DOS due to buffer over-read in WLAN while sending a packet to device.

CVE-2022-40531HIGH 8.4

Memory corruption in WLAN due to incorrect type cast while sending WMI_SCAN_SCH_PRIO_TBL_CMDID message.

CVE-2022-40515HIGH 7.3

Memory corruption in Video due to double free while playing 3gp clip with invalid metadata atoms.

CVE-2022-33278HIGH 7.8

CVE-2022-33257CRITICAL 9.3

Memory corruption due to buffer copy without checking the size of input in HLOS when input message size is larger than the buffer capacity.

Memory corruption in Core due to time-of-check time-of-use race condition during dump collection in trust zone.

CVE-2022-33242HIGH 7.8

Memory corruption due to improper authentication in Qualcomm IPC while loading unsigned lib in audio PD.

CVE-2022-33213HIGH 7.5

Memory corruption in modem due to buffer overflow while processing a PPP packet

CVE-2022-25705HIGH 7.8

Memory corruption in modem due to integer overflow to buffer overflow while handling APDU response

CVE-2022-25694HIGH 8.4

Memory corruption in Modem due to usage of Out-of-range pointer offset in UIM

CVE-2022-25655HIGH 8.4

Memory corruption in WLAN HAL while arbitrary value is passed in WMI UTF command payload.

CVE-2022-22075MEDIUM 6.2