| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Memory corruption when IPC callback handle is used after it has been released during register callback by another thread. |
| Memory corruption when more scan frequency list or channels are sent from the user space. |
| Transient DOS while parsing a protected 802.11az Fine Time Measurement (FTM) frame. |
| Memory corruption while processing Codec2 during v13k decoder pitch synthesis. |
| Transient DOS in WLAN Host and Firmware when large number of open authentication frames are sent with an invalid transaction sequence number. |
| Information disclosure while processing IOCTL call made for releasing a trusted VM process release or opening a channel without initializing the process. |
| Memory corruption due to use after free in Core when multiple DCI clients register and deregister. |
| Memory corruption due to double free in Core while mapping HLOS address to the list. |
| Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode. |
| Transient DOS while handling PS event when Program Service name length offset value is set to 255. |
| Memory corruption while processing API calls to NPU with invalid input. |
| Memory corruption when multiple threads try to unregister the CVP buffer at the same time. |
| Memory corruption while Configuring the SMR/S2CR register in Bypass mode. |
| Memory corruption while invoking redundant release command to release one buffer from user space as race condition can occur in kernel space between buffer release and buffer access. |
| Memory corruption when PAL client calls PAL service APIs by passing a random value as handle and the handle is not validated by the service. |
| Information disclosure as NPU firmware can send invalid IPC message to NPU driver as the driver doesn`t validate the IPC message received from the firmware. |
| Memory corruption while parsing sensor packets in camera driver, user-space variable is used while allocating memory in kernel and parsing which can lead to huge allocation or invalid memory access. |
| Memory corruption in WLAN Host while processing RRM beacon on the AP. |
| Transient DOS while parsing the multiple MBSSID IEs from the beacon, when the tag length is non-zero value but with end of beacon. |
| Transient DOS while parsing the MBSSID IE from the beacons, when the MBSSID IE length is zero. |
