Total
86
Critical
3
High
64
Medium
19
CISA KEV
3
Memory corruption while using alignments for memory allocation.
Weak configuration may lead to cryptographic issue when a VoWiFi call is triggered from UE.
Memory corruption while handling buffer mapping operations in the cryptographic driver.
Memory corruption while processing MFC channel configuration during music playback.
Memory corruption while processing a GP command response.
Memory corruption during PlayReady APP usecase while processing TA commands.
Information disclosure while decoding this RTP packet headers received by UE from the network when the padding bit is set.
Information disclosure while decoding RTP packet received by UE from the network, when payload length mentioned is greater than the available buffer length.
Information disclosure when UE receives the RTP packet from the network, while decoding and reassembling the fragments from RTP packet.
Memory corruption when the UE receives an RTP packet from the network, during the reassembly of NALUs.
Cryptographic issue while performing RSA PKCS padding decoding.
Memory corruption while processing specific files in Powerline Communication Firmware.
Information disclosure when an invalid RTCP packet is received during a VoLTE/VoWiFi IMS call.
Information disclosure may occur while processing goodbye RTCP packet from network.
Information disclosure may occur while decoding the RTP packet with invalid header extension from network.
Information disclosure may occur while decoding the RTP packet with improper header length for number of contributing sources.
Memory corruption may occur while processing the OIS packet parser.
Memory corruption while handling test pattern generator IOCTL command.
Memory corruption while processing I2C settings in Camera driver.
Memory corruption while processing IOCTL command to handle buffers associated with a session.
Memory corruption may occur while processing voice call registration with user.
Transient DOS while connecting STA to AP and initiating ADD TS request from AP to establish TSpec session.
Memory corruption occurs while connecting a STA to an AP and initiating an ADD TS request.
Memory corruption occurs while connecting a STA to an AP and initiating an ADD TS request from the AP to establish a TSpec session.
Cryptographic issue may arise because the access control configuration permits Linux to read key registers in TCSR.
Information disclosure may occur during a video call if a device resets due to a non-conforming RTCP packet that doesn`t adhere to RFC standards.
Information disclosure while creating MQ channels.
Memory corruption occurs during the copying of read data from the EEPROM because the IO configuration is exposed as shared memory.
Memory corruption while handling file descriptor during listener registration/de-registration.
Cryptographic issues while generating an asymmetric key pair for RKP use cases.
There may be information disclosure during memory re-allocation in TZ Secure OS.
Memory corruption while invoking IOCTL calls from user space to read WLAN target diagnostic information.
Memory corruption while processing API calls to NPU with invalid input.
Memory corruption while invoking IOCTL calls from user space to issue factory test command inside WLAN driver.
Memory corruption while invoking IOCTL calls from user space to set generic private command inside WLAN driver.
Memory corruption when invalid input is passed to invoke GPU Headroom API call.
Transient DOS while parsing the ML IE when a beacon with common info length of the ML IE greater than the ML IE inside which this element is present.
Memory corruption when allocating and accessing an entry in an SMEM partition continuously.
Memory corruption while Configuring the SMR/S2CR register in Bypass mode.
Memory corruption during GNSS HAL process initialization.
Memory corruption while processing GPU page table switch.
Memory corruption while processing voice packet with arbitrary data received from ADSP.
Memory corruption while IOCLT is called when device is in invalid state and the WMI command buffer may be freed twice.
Memory corruption while station LL statistic handling.
Memory corruption while processing input parameters for any IOCTL call in the JPEG Encoder driver.
Memory corruption while handling IOCTL calls in JPEG Encoder driver.
Transient DOS while parsing BTM ML IE when per STA profile is not included.
Transient DOS while parsing fragments of MBSSID IE from beacon frame.
Memory corruption while processing the update SIM PB records request.
memory corruption when WiFi display APIs are invoked with large random inputs.
Transient DOS as modem reset occurs when an unexpected MAC RAR (with invalid PDU length) is seen at UE.
Transient DOS while handling PS event when Program Service name length offset value is set to 255.
memory corruption when an invalid firehose patch command is invoked.
Memory corruption while releasing shared resources in MinkSocket listener thread.
Transient DOS when processing the non-transmitted BSSID profile sub-elements present within the MBSSID Information Element (IE) of a beacon frame that is received from over-the-air (OTA).
Information disclosure while decoding Tracking Area Update Accept or Attach Accept message received from network.
Transient DOS when registration accept OTA is received with incorrect ciphering key data IE in Modem.
Memory corruption can occur when arbitrary user-space app gains kernel level privilege to modify DDR memory by corrupting the GPU page table.
Transient DOS while importing a PKCS#8-encoded RSA key with zero bytes modulus.
Transient DOS while decoding attach reject message received by UE, when IEI is set to ESM_IEI.
Memory corruption when allocating and accessing an entry in an SMEM partition.
Memory corruption while performing finish HMAC operation when context is freed by keymaster.
Memory corruption while processing the event ring, the context read pointer is untrusted to HLOS and when it is passed with arbitrary values, may point to address in the middle of ring element.
Memory corruption in Audio while processing the calibration data returned from ACDB loader.
Memory corruption in Audio while processing IIR config data from AFE calibration block.
Memory corruption in Audio while calling START command on host voice PCM multiple times for the same RX or TX tap points.
Information disclosure in Audio while accessing AVCS services from ADSP payload.
Transient DOS in Audio when invoking callback function of ASM driver.
Memory corruption in Audio when memory map command is executed consecutively in ADSP.
The session index variable in PCM host voice audio driver initialized before PCM open, accessed during event callback from ADSP and reset during PCM close may lead to race condition between event callback - PCM close and reset session index causing memory corruption.
Memory corruption in Audio during playback with speaker protection.
Memory corruption in HLOS while running playready use-case.
Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.
Transient DOS in Automotive OS due to improper authentication to the secure IO calls.
Memory corruption in DSP Services during a remote call from HLOS to DSP.
Memory corruption while using the UIM diag command to get the operators name.
Transient DOS in Bluetooth Host while rfc slot allocation.
Memory corruption in UTILS when modem processes memory specific Diag commands having arbitrary address values as input arguments.
Memory corruption in MPP performance while accessing DSM watermark using external memory address.
Memory Corruption in SPS Application while exporting public key in sorter TA.
Memory corruption while processing audio effects.
Memory Corruption in Multi-mode Call Processor while processing bit mask API.
Memory Corruption in HLOS while importing a cryptographic key into KeyMaster Trusted Application.
Information Disclosure in data Modem while parsing an FMTP line in an SDP message.
Information Disclosure in Data Modem while performing a VoLTE call with an undefined RTCP FB line value.
Memory Corruption in Data Modem while making a MO call or MT VOLTE call.
