| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use, another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address. |
| The buffer obtained from kernel APIs such as cam_mem_get_cpu_buf() may be readable/writable in userspace after kernel accesses it. In other words, user mode may race and modify the packet header (e.g. header.count), causing checks (e.g. size checks) in kernel code to be invalid. This may lead to out-of-bounds read/write issues. |
| The cam_get_device_priv function does not check the type of handle being returned (device/session/link). This would lead to invalid type usage if a wrong handle is passed to it. |
| Memory corruption in WLAN HAL while parsing WMI command parameters. |
| Memory corruption in WLAN HOST while processing the WLAN scan descriptor list. |
| Information disclosure in WLAN HAL when reception status handler is called. |
| Memory corruption in WLAN handler while processing PhyID in Tx status handler. |
| Memory corruption in WLAN HAL while processing command parameters from untrusted WMI payload. |
| Information Disclosure in WLAN Host when processing WMI event command. |
| Memory corruption in Video while calling APIs with different instance ID than the one received in initialization. |
| Memory corruption in Linux while calling system configuration APIs. |
| Memory Corruption in Data Network Stack & Connectivity when sim gets detected on telephony. |
| Memory Corruption in Radio Interface Layer while sending an SMS or writing an SMS to SIM. |
| Information disclosure in DSP Services while loading dynamic module. |
| Memory corruption in Linux while sending DRM request. |
| Memory corruption in modem due to stack based buffer overflow while parsing OTASP Key Generation Request Message. |
| Assertion occurs while processing Reconfiguration message due to improper validation |
| Transient DOS while parsing ESP IE from beacon/probe response frame. |
| Transient DOS while parsing the BSS parameter change count or MLD capabilities fields of the ML IE. |
| Transient DOS while parsing the ML IE when a beacon with length field inside the common info of ML IE greater than the ML IE length. |
