| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Memory corruption while invoking IOCTL calls from user space to issue factory test command inside WLAN driver. |
| Memory corruption while invoking IOCTL calls from user space to set generic private command inside WLAN driver. |
| Memory corruption when invalid input is passed to invoke GPU Headroom API call. |
| Transient DOS while parsing the ML IE when a beacon with common info length of the ML IE greater than the ML IE inside which this element is present. |
| Memory corruption when multiple threads try to unregister the CVP buffer at the same time. |
| Memory corruption while Configuring the SMR/S2CR register in Bypass mode. |
| Memory corruption while invoking redundant release command to release one buffer from user space as race condition can occur in kernel space between buffer release and buffer access. |
| Information disclosure as NPU firmware can send invalid IPC message to NPU driver as the driver doesn`t validate the IPC message received from the firmware. |
| Memory corruption while parsing sensor packets in camera driver, user-space variable is used while allocating memory in kernel and parsing which can lead to huge allocation or invalid memory access. |
| Transient DOS during music playback of ALAC content. |
| Transient DOS while decoding attach reject message received by UE, when IEI is set to ESM_IEI. |
| Possible out of bound access in audio module due to lack of validation of user provided input. |
| Transient DOS while importing a PKCS#8-encoded RSA key with zero bytes modulus. |
| Memory corruption when IOMMU unmap operation fails, the DMA and anon buffers are getting released. |
| Memory corruption when allocating and accessing an entry in an SMEM partition. |
| Memory corruption while performing finish HMAC operation when context is freed by keymaster. |
| Memory corruption in Graphics while processing user packets for command submission. |
| Transient DOS in WLAN Host when an invalid channel (like channel out of range) is received in STA during CSA IE. |
| Transient DOS in WLAN Host while doing channel switch announcement (CSA), when a mobile station receives invalid channel in CSA IE. |
| In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use, another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address. |
