| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon Wear IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9640, MDM9650, QCA4531, QCA6174A, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, QCA9558, QCA9880, QCA9886, QCA9980, SD 210/SD 212/SD 205, SD 425, SD 625, SD 810, SD 820, and SDX20, integer overflow occurs when the size of the firmware section is incorrectly encoded in the firmware image. |
| In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, QCA4531, QCA6174A, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, QCA9558, QCA9880, QCA9886, QCA9980, SD 210/SD 212/SD 205, SD 425, SD 625, SD 808, SD 810, SD 820, and SDX20, while processing firmware image signature, the internal buffer may overflow if the firmware signature size is large. |
| In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MSM8909W, QCA6174A, QCA6574AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 400, SD 450, SD 410/12, SD 425, SD 430, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, and SDX20, lack of input validation on BT HCI commands processing allows privilege escalation. |
| Memory corruption while allocating memory in HGSL driver. |
| Memory corruption as fence object may still be accessed in timeline destruct after isync fence is released. |
| Memory corruption during GNSS HAL process initialization. |
| Cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions. |
| Transient DOS as modem reset occurs when an unexpected MAC RAR (with invalid PDU length) is seen at UE. |
| Memory corruption while processing GPU page table switch. |
| Memory corruption while processing voice packet with arbitrary data received from ADSP. |
| Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node. |
| Memory corruption while handling session errors from firmware. |
| Memory corruption is possible when an attempt is made from userspace or console to write some haptics effects pattern to the haptics debugfs file. |
| Memory corruption while sending the persist buffer command packet from the user-space to the kernel space through the IOCTL call. |
| Memory corruption can occur when arbitrary user-space app gains kernel level privilege to modify DDR memory by corrupting the GPU page table. |
| Memory corruption when keymaster operation imports a shared key. |
| Memory corruption while processing IOCTL call to set metainfo. |
| Transient DOS while parsing the multiple MBSSID IEs from the beacon, when the tag length is non-zero value but with end of beacon. |
| Transient DOS while parsing fragments of MBSSID IE from beacon frame. |
| Transient DOS while decoding attach reject message received by UE, when IEI is set to ESM_IEI. |
