Total
100
Critical
9
High
67
Medium
24
CISA KEV
1
Possible out of bound access in audio module due to lack of validation of user provided input.
Memory corruption in Core while processing RX intent request.
Transient DOS while converting TWT (Target Wake Time) frame parameters in the OTA broadcast.
Transient DOS while parsing a vender specific IE (Information Element) of reassociation response management frame.
Memory corruption in Audio while running invalid audio recording from ADSP.
Transient DOS in Automotive OS due to improper authentication to the secure IO calls.
Memory corruption in DSP Services during a remote call from HLOS to DSP.
Cryptographic issue in GPS HLOS Driver while downloading Qualcomm GNSS assistance data.
Transient DOS in Data modem while handling TLB control messages from the Network.
Transient DOS in Modem when a Beam switch request is made with a non-configured BWP.
Transient DOS in Modem after RRC Setup message is received.
Memory corruption while sending SMS from AP firmware.
Memory corruption in HLOS while invoking IOCTL calls from user-space.
Memory corruption while using the UIM diag command to get the operators name.
Memory corruption in Boot while running a ListVars test in UEFI Menu during boot.
Memory corruption in Audio while processing the VOC packet data from ADSP.
Memory Corruption in Audio while invoking callback function in driver from ADSP.
Memory corruption in Automotive Audio while copying data from ADSP shared buffer to the VOC packet data buffer.
Memory corruption while invoking callback function of AFE from ADSP.
Memory corruption while parsing the ADSP response command.
Memory corruption in DSP Service during a remote call from HLOS to DSP.
Transient DOS in WLAN Firmware while parsing rsn ies.
Cryptographic issue in Data Modem due to improper authentication during TLS handshake.
Memory corruption in WLAN HAL while processing devIndex from untrusted WMI payload.
Memory Corruption in Core Platform while printing the response buffer in log.
Memory Corruption while accessing metadata in Display.
Memory corruption in Core Platform while printing the response buffer in log.
Memory corruption in Audio during playback session with audio effects enabled.
Transient DOS in Modem while processing invalid System Information Block 1.
Memory corruption in RIL due to Integer Overflow while triggering qcril_uim_request_apdu request.
Memory Corruption due to improper validation of array index in Linux while updating adn record.
Memory corruption due to buffer over-read in Modem while processing SetNativeHandle RTP service.
Memory corruption due to improper validation of array index in WLAN HAL when received lm_itemNum is out of range.
Information disclosure in Automotive multimedia due to buffer over-read.
Transient DOS in Audio while remapping channel buffer in media codec decoding.
Memory corruption while allocating memory in COmxApeDec module in Audio.
Memory Corruption in Audio while playing amrwbplus clips with modified content.
Cryptographic issue in HLOS as derived keys used to encrypt/decrypt information is present on stack after use.
Memory Corruption in Core due to incorrect type conversion or cast in secure_io_read/write function in TEE.
Memory Corruption in GPS HLOS Driver when injectFdclData receives data with invalid data length.
Memory corruption in WLAN while running doDriverCmd for an unspecific command.
Memory corruption in RIL while trying to send apdu packet.
Memory corruption in Trusted Execution Environment while calling service API with invalid address.
Cryptographic issue in HLOS due to improper authentication while performing key velocity checks using more than one key.
Information disclosure in Network Services due to buffer over-read while the device receives DNS response.
Memory corruption due to buffer copy without checking size of input in Audio while voice call with EVS vocoder.
Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode.
Information Disclosure in WLAN HOST while sending DPP action frame to peer with an invalid source address.
Transient DOS in WLAN Firmware while processing frames with missing header fields.
Memoru corruption in Audio when ADSP sends input during record use case.
Memory corruption in WLAN HOST while receiving an WMI event from firmware.
Memory corruption in WLAN HAL while processing WMI-UTF command or FTM TLV1 command.
Transient DOS due to improper authentication in modem while receiving plain TLB OTA request message from network.
Transient DOS due to untrusted Pointer Dereference in core while sending USB QMI request.
Memory corruption due to improper access control in kernel while processing a mapping request from root process.
Information disclosure in Kernel due to indirect branch misprediction.
Memory corruption in Linux Networking due to double free while handling a hyp-assign.
Transient DOS due to improper authorization in Modem
Memory corruption due to double free in Core while mapping HLOS address to the list.
Memory Corruption due to double free in automotive when a bad HLOS address for one of the lists to be mapped is passed.
Memory corruption in Linux while sending DRM request.
Memory corruption in modem due to stack based buffer overflow while parsing OTASP Key Generation Request Message.
Memory corruption due to use after free in Core when multiple DCI clients register and deregister.
Transient DOS due to reachable assertion in Modem because of invalid network configuration.
Memory corruption in FM Host due to buffer copy without checking the size of input in FM Host
Memory corruption in Linux android due to double free while calling unregister provider after register call.
Memory corruption due to buffer copy without checking the size of input in Core while processing ioctl commands from diag client applications.
Memory corruption in core due to buffer copy without check9ing the size of input while processing ioctl queries.
information disclosure due to cryptographic issue in Core during RPMB read request.
Assertion occurs while processing Reconfiguration message due to improper validation
Transient DOS due to reachable assertion in Modem when UE received Downlink Data Indication message from the network.
Information disclosure due to buffer over-read in Trusted Execution Environment while QRKS report generation.
Memory Corruption in Graphics while accessing a buffer allocated through the graphics pool.
Memory corruption in Graphics while importing a file.
Transient DOS due to reachable assertion in Modem while processing config related to cross carrier scheduling, which is not supported.
Transient DOS due to reachable assertion in Modem during OSI decode scheduling.
Transient DOS due to NULL pointer dereference in Modem while sending invalid messages in DCCH.
Memory corruption in Automotive due to Improper Restriction of Operations within the Bounds of a Memory Buffer while exporting a shared key.
Memory corruption due to integer overflow or wraparound in WLAN while sending WMI cmd from host to target.
Information disclosure due to buffer over-read in Bluetooth Host while A2DP streaming.
Memory corruption due to improper validation of array index in User Identity Module when APN TLV length is greater than command length.
Memory corruption due to use after free in Modem while modem initialization.
Memory corruption due to integer overflow to buffer overflow in Modem while parsing Traffic Channel Neighbor List Update message.
Information disclosure in Modem due to buffer over-read while receiving a IP header with malformed length.
Memory corruption occurs in Modem due to improper validation of array index when malformed APDU is sent from card.
Memory corruption due to buffer copy without checking the size of input in Core while sending SCM command to get write protection information.
Information disclosure in Modem due to buffer over-read while getting length of Unfragmented headers in an IPv6 packet.
Transient DOS due to time-of-check time-of-use race condition in Modem while processing RRC Reconfiguration message.
Memory corruption due to integer overflow or wraparound in Core while DDR memory assignment.
Memory corruption due to double free in core while initializing the encryption key.
Memory corruption in Bluetooth HOST while processing the AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT AVRCP response.
Transient DOS due to buffer over-read in WLAN while sending a packet to device.
Memory corruption in WLAN due to incorrect type cast while sending WMI_SCAN_SCH_PRIO_TBL_CMDID message.
Memory corruption in WLAN due to integer overflow to buffer overflow in WLAN during initialization phase.
Memory corruption in Video due to double free while playing 3gp clip with invalid metadata atoms.
Memory corruption due to buffer copy without checking the size of input in HLOS when input message size is larger than the buffer capacity.
Transient DOS in modem due to reachable assertion.
Memory corruption due to stack based buffer overflow in core while sending command from USB of large size.
Memory corruption in Core due to time-of-check time-of-use race condition during dump collection in trust zone.
Memory corruption due to improper validation of array index in Multi-mode call processor.
