Download
| Alert*
CVE-2016-10393
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, when processing a clip with large size values, integer arithmetic overflows, and allocated buffer size will be less than intended buffer size. The following buffer operations will overflow ... CVE-2016-10299 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-32577244. CVE-2016-10298 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36393252. CVE-2016-10297 In TrustZone in all Android releases from CAF using the Linux kernel, a Time-of-Check Time-of-Use Race Condition vulnerability could potentially exist. CVE-2016-10238 In QSEE in all Android releases from CAF using the Linux kernel access control may potentially be bypassed due to a page alignment issue. CVE-2016-10237 If shared content protection memory were passed as the secure camera memory buffer by the HLOS to a trusted application (TA) in all Android releases from CAF using the Linux kernel, the TA would not detect an issue and it would be treated as secure memory. CVE-2016-10236 An information disclosure vulnerability in the Qualcomm USB driver. Product: Android. Versions: Android kernel. Android ID: A-33280689. References: QC-CR#1102418. CVE-2016-10235 A denial of service vulnerability in the Qualcomm WiFi driver. Product: Android. Versions: Android kernel. Android ID: A-34390620. References: QC-CR#1046409. CVE-2016-10234 An information disclosure vulnerability in the Qualcomm IPA driver. Product: Android. Versions: Android kernel. Android ID: A-34390017. References: QC-CR#1069060. CVE-2016-10233 An elevation of privilege vulnerability in the Qualcomm video driver. Product: Android. Versions: Android kernel. Android ID: A-34389926. References: QC-CR#897452. CVE-2016-10232 An elevation of privilege vulnerability in the Qualcomm video driver. Product: Android. Versions: Android kernel. Android ID: A-34386696. References: QC-CR#1024872. CVE-2016-10231 An elevation of privilege vulnerability in the Qualcomm sound codec driver. Product: Android. Versions: Android kernel. Android ID: A-33966912. References: QC-CR#1096799. CVE-2016-10230 A remote code execution vulnerability in the Qualcomm crypto driver. Product: Android. Versions: Android kernel. Android ID: A-34389927. References: QC-CR#1091408. CVE-2016-10242 A time-of-check time-of-use race condition could potentially exist in the secure file system in all Android releases from CAF using the Linux kernel. CVE-2016-0833 Android allows users to cause a denial of service. CVE-2016-5345 Buffer overflow in the Qualcomm radio driver in Android before 2017-01-05 on Android One devices allows local users to gain privileges via a crafted application, aka Android internal bug 32639452 and Qualcomm internal bug CR1079713. CVE-2016-8484 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-28823575. CVE-2016-8482 An elevation of privilege vulnerability in the NVIDIA GPU driver. Product: Android. Versions: Android kernel. Android ID: A-31799863. References: N-CVE-2016-8482. CVE-2016-8487 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-28823724. CVE-2016-8488 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-31625756. CVE-2016-8485 An information disclosure vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-28823681. CVE-2016-8486 An information disclosure vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-28823691. CVE-2014-4959 **DISPUTED** SQL injection vulnerability in SQLiteDatabase.java in the SQLi Api in Android allows remote attackers to execute arbitrary SQL commands via the delete method. CVE-2014-7919 b/libs/gui/ISurfaceComposer.cpp in Android allows attackers to trigger a denial of service (null pointer dereference and process crash). CVE-2014-7952 The backup mechanism in the adb tool in Android might allow attackers to inject additional applications (APKs) and execute arbitrary code by leveraging failure to filter application data streams. CVE-2014-9959 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36383694. CVE-2014-9958 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36384774. CVE-2014-9955 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36384686. CVE-2014-9954 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36388559. CVE-2014-9957 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36387564. CVE-2014-9956 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36389611. CVE-2014-9951 In TrustZone in all Android releases from CAF using the Linux kernel, an Information Exposure Through Timing Discrepancy vulnerability could potentially exist. CVE-2014-9950 In Core Kernel in all Android releases from CAF using the Linux kernel, an Improper Authorization vulnerability could potentially exist. CVE-2014-9953 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36714770. CVE-2014-9952 In the Secure File System in all Android releases from CAF using the Linux kernel, a capture-replay vulnerability could potentially exist. CVE-2014-9948 In TrustZone in all Android releases from CAF using the Linux kernel, an Improper Validation of Array Index vulnerability could potentially exist. CVE-2014-9947 In TrustZone in all Android releases from CAF using the Linux kernel, an Information Exposure vulnerability could potentially exist. CVE-2014-9949 In TrustZone in all Android releases from CAF using the Linux kernel, an Untrusted Pointer Dereference vulnerability could potentially exist. CVE-2014-9944 In the Secure File System in all Android releases from CAF using the Linux kernel, an Integer Overflow to Buffer Overflow vulnerability could potentially exist. CVE-2014-9943 In Core Kernel in all Android releases from CAF using the Linux kernel, a Null Pointer Dereference vulnerability could potentially exist. CVE-2014-9946 In Core Kernel in all Android releases from CAF using the Linux kernel, a Use After Free vulnerability could potentially exist. CVE-2014-9945 In TrustZone in all Android releases from CAF using the Linux kernel, an Improper Authorization vulnerability could potentially exist. CVE-2014-9942 In Boot in all Android releases from CAF using the Linux kernel, a Use of Uninitialized Variable vulnerability could potentially exist. CVE-2014-9941 In the Embedded File System in all Android releases from CAF using the Linux kernel, a Time-of-Check Time-of-Use Race Condition vulnerability could potentially exist. CVE-2014-9933 Due to missing input validation in all Android releases from CAF using the Linux kernel, HLOS can write to fuses for which it should not have access. CVE-2014-9932 In TrustZone, an integer overflow vulnerability can potentially occur in all Android releases from CAF using the Linux kernel due to an improper address range computation. CVE-2014-9934 A PKCS#1 v1.5 signature verification routine in all Android releases from CAF using the Linux kernel may not check padding. CVE-2014-9931 A buffer overflow vulnerability in all Android releases from CAF using the Linux kernel can potentially occur if an OEM performs an app region size customization due to a hard-coded value. CVE-2014-9930 In WCDMA in all Android releases from CAF using the Linux kernel, a Use After Free vulnerability could potentially exist. CVE-2014-9929 In WCDMA in all Android releases from CAF using the Linux kernel, a Use of Out-of-range Pointer Offset vulnerability could potentially exist. CVE-2014-9926 In GNSS in all Android releases from CAF using the Linux kernel, a Use After Free vulnerability could potentially exist. CVE-2014-9925 In HDR in all Android releases from CAF using the Linux kernel, a Buffer Copy without Checking Size of Input vulnerability could potentially exist. CVE-2014-9928 In GERAN in all Android releases from CAF using the Linux kernel, a Buffer Copy without Checking Size of Input vulnerability could potentially exist. CVE-2014-9927 In UIM in all Android releases from CAF using the Linux kernel, a Buffer Copy without Checking Size of Input vulnerability could potentially exist. CVE-2014-9924 In 1x in all Android releases from CAF using the Linux kernel, a Signed to Unsigned Conversion Error could potentially occur. CVE-2014-9923 In NAS in all Android releases from CAF using the Linux kernel, a Buffer Copy without Checking Size of Input vulnerability could potentially exist. CVE-2017-0431 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-32573899. CVE-2017-0869 NVIDIA driver contains an integer overflow vulnerability which could cause a use after free and possibly lead to an elevation of privilege enabling code execution as a privileged process. This issue is rated as high. Version: N/A. Android ID: A-37776156. References: N-CVE-2017-0869. CVE-2017-0748 An information disclosure vulnerability in the Qualcomm audio driver. Product: Android. Versions: Android Kernel. Android ID: A-35764875. References: QC-CR#2029798. CVE-2017-0744 An elevation of privilege vulnerability in the NVIDIA firmware processing code. Product: Android. Versions: Android kernel. Android ID: A-34112726. References: N-CVE-2017-0744. CVE-2017-0751 An elevation of privilege vulnerability in the Qualcomm QCE driver. Product: Android. Versions: Android kernel. Android ID: A-36591162. References: QC-CR#2045061. CVE-2017-11003 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while updating a firmware image, data is read from flash into RAM without checking that the data fits into allotted RAM size. CVE-2017-11005 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a Use After Free condition can occur during a deinitialization path. CVE-2017-11007 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a possibility of stack corruption due to buffer overflow of Partition name while converting ascii string to unicode string in function HandleMetaImgFlash. CVE-2017-11006 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a Use After Free condition can occur during positioning. CVE-2017-11047 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in a graphics driver ioctl handler, the lack of copy_from_user() function calls may result in writes to kernel memory. CVE-2017-11049 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in a video driver, a race condition exists which can potentially lead to a buffer overflow. CVE-2017-11043 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in a WiFI driver function, an integer overflow leading to heap buffer overflow may potentially occur. CVE-2017-11042 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, ImsService and the IQtiImsExt AIDL APIs are not subject to access control. CVE-2017-11045 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in a camera driver function, a race condition exists which can lead to a Use After Free condition. CVE-2017-11044 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in a KGSL driver function, a race condition exists which can lead to a Use After Free condition. CVE-2017-11035 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, possible buffer overflow or information leak in the functions "sme_set_ft_ies" and "csr_roam_issue_ft_preauth_req" due to incorrect initialization of WEXT callbacks and lack of the checks ... CVE-2017-11038 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing the boot image header, range checks can be bypassed by supplying different versions of the header at the time of check and use. CVE-2017-11032 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a double free can occur when kmalloc fails to allocate memory for pointers resp/req in the service-locator driver function service_locator_send_msg(). CVE-2017-11031 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, the VIDIOC_G_SDE_ROTATOR_FENCE ioctl command can be used to cause a Use After Free condition. CVE-2017-11033 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the coresight-tmc driver, a simultaneous read and enable of the ETR device after changing the buffer size may result in a Use After Free condition of the previous buffer. CVE-2017-11030 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the HDMI video driver function hdmi_edid_sysfs_rda_res_info(), userspace can perform an arbitrary write into kernel memory. CVE-2017-11025 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, due to a race condition in the function audio_effects_shared_ioctl(), memory corruption can occur. CVE-2017-11024 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a race condition in the rmnet USB control driver can potentially lead to a Use After Free condition. CVE-2017-11027 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while flashing UBI image, size is not validated for being smaller than minimum header size causing unintialized data access vulnerability. CVE-2017-11026 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while flashing FRP partition using reference FRP unlock, authentication method can be compromised for static keys. CVE-2017-11023 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a possibility of out-of-bound buffer accesses due to no synchronization in accessing global variables by multiple threads. CVE-2017-11022 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, the probe requests originated from user's phone contains the information elements which specifies the supported wifi features. This shall impact the user's privacy if someone sniffs the pr ... CVE-2017-11029 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in user space. An unchecked us ... CVE-2017-11028 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the ISP Camera driver, the contents of an arbitrary kernel address can be leaked to userspace by the function msm_isp_get_stream_common_data(). CVE-2017-11014 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while parsing a Measurement Request IE in a Roam Neighbor Action Report, a buffer overflow can occur. CVE-2017-11013 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, countOffset (in function UnpackCore) is increased for each loop, while there is no boundary check against "pIe->arraybound". CVE-2017-11016 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, when memory allocation fails while creating a calibration block in create_cal_block stale pointers are left uncleared. CVE-2017-11015 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, currently, the value of SIR_MAC_AUTH_CHALLENGE_LENGTH is set to 128 which may result in buffer overflow since the frame parser allows challenge text of length up to 253 bytes, but the driv ... CVE-2017-11010 In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mobile MDM9206, MDM9650, SD 210/SD 212/SD 205, SD 625, SD 650/52, SD 835, access control left a configuration space unprotected. CVE-2017-11012 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, when processing a specially crafted QCA_NL80211_VENDOR_SUBCMD_ENCRYPTION_TEST cfg80211 vendor command a stack-based buffer overflow can occur. CVE-2017-11018 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, array access out of bounds may occur in the camera driver in the kernel CVE-2017-11017 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while flashing a specially crafted UBI image, it is possible to corrupt memory, or access uninitialized memory. CVE-2017-11019 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, the fd allocated during the get_metadata was not closed even though the buffer allocated to the fd was freed. This resulted in a failure during exit sequence. CVE-2017-11093 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, buffer Over-read in Display due to the lack of an upper-bound validation when reading "num_of_cea_blocks" from the untrusted source (EDID), kernel memory can be exposed. CVE-2017-11090 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a buffer overread is observed in __wlan_hdd_cfg80211_set_pmksa when user space application sends PMKID of size less than WLAN_PMKID_LEN bytes. CVE-2017-11092 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the KGSL driver function kgsl_ioctl_gpu_command, a Use After Free condition can potentially occur. CVE-2017-11091 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the function mdss_rotator_ioctl in the driver /dev/mdss_rotator, a Use-After-Free condition can potentially occur due to a fence being installed too early. CVE-2017-11087 libOmxVenc in Android for MSM, Firefox OS for MSM, and QRD Android copies the output buffer to an application with the "filled length", which is larger than the output buffer's actual size, leading to an information disclosure problem in the context of mediaserver. CVE-2017-11082 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, due to a race condition in a firmware loading routine, a buffer overflow could potentially occur if multiple user space threads try to update the WLAN firmware file through sysfs. CVE-2017-11085 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, an integer overflow leading to a buffer overflow due to improper bound checking in msm_audio_effects_virtualizer_handler, file msm-audio-effects-q6-v2.c CVE-2017-11081 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a potential buffer overflow vulnerability in hdd_parse_setrmcenable_command and hdd_parse_setrmcactionperiod_command APIs as buffers defined in this API can hold maximum 32 bytes ... CVE-2017-11080 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing a user supplied sparse image, a buffer overflow vulnerability could occur if the sparse header block size is equal to 4294967296. CVE-2017-11079 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing sparse image, uninitialized heap memory can potentially be flashed due to the lack of validation of sparse image block header size. CVE-2017-11075 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, if cmd_pkt and reg_pkt are called from different userspace threads, a use after free condition can potentially occur in wdsp_glink_write( ... CVE-2017-11078 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing the boot image header, an out of bounds read can occur in boot. CVE-2017-11072 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while calculating CRC for GPT header fields with partition entries greater than 16384 buffer overflow occurs. CVE-2017-11074 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is an obsolete set/reset ssid hotlist API. CVE-2017-11073 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, the qcacld pktlog allows mapping memory via /proc/ath_pktlog/cld to user space. CVE-2017-11069 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, manipulation of SafeSwitch Image data can result in Heap overflow. CVE-2017-11066 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while flashing ubi image an uninitialized memory could be accessed. CVE-2017-11058 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing a specially crafted cfg80211 vendor command, a buffer over-read can occur. CVE-2017-13303 A information disclosure vulnerability in the Broadcom bcmdhd driver. Product: Android. Versions: Android kernel. Android ID: A-71359108. References: B-V2018010501. CVE-2017-13304 A information disclosure vulnerability in the Upstream kernel mnh_sm driver. Product: Android. Versions: Android kernel. Android ID: A-70576999. CVE-2017-13307 A elevation of privilege vulnerability in the Upstream kernel pci sysfs. Product: Android. Versions: Android kernel. Android ID: A-69128924. CVE-2017-13306 A elevation of privilege vulnerability in the Upstream kernel mnh driver. Product: Android. Versions: Android kernel. Android ID: A-70295063. CVE-2017-13226 An elevation of privilege vulnerability in the MediaTek mtk. Product: Android. Versions: Android kernel. Android ID: A-32591194. References: M-ALPS03149184. CVE-2017-13225 In libMtkOmxVdec.so there is a possible heap buffer overflow. This could lead to a remote elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android kernel. An ... CVE-2017-13222 An information disclosure vulnerability in the Upstream kernel kernel. Product: Android. Versions: Android kernel. Android ID: A-38159576. CVE-2017-13221 An elevation of privilege vulnerability in the Upstream kernel wifi driver. Product: Android. Versions: Android kernel. Android ID: A-64709938. CVE-2017-13216 In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitat ... CVE-2017-13213 An elevation of privilege vulnerability in the Broadcom bcmdhd driver. Product: Android. Versions: Android kernel. Android ID: A-63374465. References: B-V2017081501. CVE-2017-13214 In the hardware HEVC decoder, some media files could cause a page fault. This could lead to a remote denial of service of a critical system process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: ... CVE-2017-13219 A denial of service vulnerability in the Upstream kernel synaptics touchscreen controller. Product: Android. Versions: Android kernel. Android ID: A-62800865. CVE-2017-13217 In DisplayFtmItem in the bootloader, there is an out-of-bounds write due to reading a string without verifying that it's null-terminated. This could lead to a secure boot bypass and a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges ... CVE-2017-13218 Access to CNTVCT_EL0 in Small Cell SoC, Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear could be used for side channel attacks and this could lead to local information disclosure with no additional execution privileges needed in FSM9055, IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9635M, MDM ... CVE-2017-13273 In xt_qtaguid.c, there is a race condition due to insufficient locking. This could lead to local elevation of privileges with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-65853158. CVE-2017-13271 A elevation of privilege vulnerability in the upstream kernel mnh_sm driver. Product: Android. Versions: Android kernel. Android ID: A-69006799. CVE-2017-13270 A elevation of privilege vulnerability in the upstream kernel mnh_sm driver. Product: Android. Versions: Android kernel. Android ID: A-69474744. CVE-2017-13246 A information disclosure vulnerability in the Upstream kernel network driver. Product: Android. Versions: Android kernel. ID: A-36279469. CVE-2017-13247 In the Pixel 2 bootloader, there is a missing permission check which bypasses carrier bootloader lock. This could lead to local elevation of privileges with user execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-71 ... CVE-2017-13244 A elevation of privilege vulnerability in the Upstream kernel easel. Product: Android. Versions: Android kernel. ID: A-62678986. CVE-2017-13245 A elevation of privilege vulnerability in the Upstream kernel audio driver. Product: Android. Versions: Android kernel. ID: A-64315347. CVE-2017-13238 In XBLRamDump mode, there is a debug feature that can be used to dump memory contents, if an attacker has physical access to the device. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. ... CVE-2017-13174 An elevation of privilege vulnerability in the kernel edl. Product: Android. Versions: Android kernel. Android ID A-63100473. CVE-2017-13175 An information disclosure vulnerability in the NVIDIA libwilhelm. Product: Android. Versions: Android kernel. Android ID A-64339309. References: N-CVE-2017-13175. CVE-2017-13172 An elevation of privilege vulnerability in the MediaTek bluetooth driver. Product: Android. Versions: Android kernel. Android ID A-36493287. References: M-ALPS03495791. CVE-2017-13293 In the nfc_hci_cmd_received() function of core.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. V ... CVE-2017-13173 An elevation of privilege vulnerability in the MediaTek system server. Product: Android. Versions: Android kernel. Android ID A-28067350. References: M-ALPS02672361. CVE-2017-13170 An elevation of privilege vulnerability in the MediaTek display driver. Product: Android. Versions: Android kernel. Android ID A-36102397. References: M-ALPS03359280. CVE-2017-13171 An elevation of privilege vulnerability in the MediaTek performance service. Product: Android. Versions: Android kernel. Android ID A-64316572. References: M-ALPS03479086. CVE-2017-13292 In wl_get_assoc_ies of wl_cfg80211.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Androi ... CVE-2017-13169 An information disclosure vulnerability in the kernel camera server. Product: Android. Versions: Android kernel. Android ID A-37512375. CVE-2017-13165 An elevation of privilege vulnerability in the kernel file system. Product: Android. Versions: Android kernel. Android ID A-31269937. CVE-2017-13163 An elevation of privilege vulnerability in the kernel mtp usb driver. Product: Android. Versions: Android kernel. Android ID A-37429972. CVE-2017-13164 An information disclosure vulnerability in the kernel binder driver. Product: Android. Versions: Android kernel. Android ID A-36007193. CVE-2017-13161 An elevation of privilege vulnerability in the Broadcom wireless driver. Product: Android. Versions: Android kernel. Android ID A-63930471. References: BC-V2017092501. CVE-2017-13162 An elevation of privilege vulnerability in the kernel binder. Product: Android. Versions: Android kernel. Android ID A-64216036. CVE-2017-14918 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the GPS location wireless interface, a Use After Free condition can occur. CVE-2017-14917 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, buffer sizes in the message passing interface are not properly validated. CVE-2017-14916 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, buffer sizes in the message passing interface are not properly validated. CVE-2017-14914 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, handles in the global client structure can become stale. CVE-2017-14909 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a count value that is read from a file is not properly validated. CVE-2017-14908 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, the SafeSwitch test application does not properly validate the number of blocks to verify. CVE-2017-14907 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, cryptographic strength is reduced while deriving disk encryption key. CVE-2017-14906 In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mobile MDM9206, MDM9607, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, PKCS7 padding is not supported by the crypto storage APIs. CVE-2017-14905 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing a specially crafted cfg80211 vendor command, a buffer over-read can occur. CVE-2017-14904 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a crafted binder request can cause an arbitrary unmap in MediaServer. CVE-2017-14903 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing the SENDACTIONFRAME IOCTL, a buffer over-read can occur if the payload length is less than 7. CVE-2017-14902 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, due to a race condition in the GLink kernel driver, a Use After Free condition can potentially occur. CVE-2017-14901 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing the QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_SCALE vendor command, in which attribute QCA_WLAN_VENDOR_ATTR_TXPOWER_SCALE contains fewer than 1 byte, a buffer overrun occurs. CVE-2017-14900 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing the QCA_NL80211_VENDOR_SUBCMD_GET_CHAIN_RSSI vendor command, in which attribute QCA_WLAN_VENDOR_ATTR_MAC_ADDR contains fewer than 6 bytes, a buffer overrun occurs. CVE-2017-14880 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, while IPA WAN-driver is processing multiple requests from modem/user-space module, the global variable "num_q6_rule" does not have a mute ... CVE-2017-14877 While the IPA driver in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-08-31 is processing IOCTL commands there is no mutex lock of allocated memory. If one thread sends an ioctl cmd IPA_IOC_QUERY_RT_TBL_INDEX while another sends an ioctl cmd IPA_IOC_DEL_RT_RULE, a use-after-free c ... CVE-2017-14876 In msm_ispif_config_stereo() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-06-21, the parameter params->entries[i].vfe_intf comes from userspace without any bounds check which could potentially result in a kernel out-of-bounds write. CVE-2017-14875 In the handler for the ioctl command VIDIOC_MSM_ISP_DUAL_HW_LPM_MODE in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-05-23, a heap overread vulnerability exists. CVE-2017-14873 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the pp_pgc_get_config() graphics driver function, a kernel memory overwrite can potentially occur. CVE-2017-14872 While flashing a meta image, a buffer over-read can potentially occur when the number of images are out of the maximum range of 32 in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2017-14870 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while updating the recovery message for eMMC devices, 1088 bytes of stack memory can potentially be leaked. CVE-2017-14879 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, by calling an IPA ioctl and searching for routing/filer/hdr rule handle from ipa_idr pointer using ipa_idr_find() function, the wrong structure pointer can be returned resulting in a slab ... CVE-2017-14878 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a length variable which is used to copy data has a size of only 8 bits and can be exceeded resulting in a denial of service. CVE-2017-14869 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while performing update of FOTA partition, uninitialized data can be pushed to storage. CVE-2017-14899 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing the QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_SCALE_DECR_DB vendor command, in which attribute QCA_WLAN_VENDOR_ATTR_TXPOWER_SCALE_DECR_DB contains fewer than 1 byte, a buffer ... CVE-2017-14898 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing the QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_SCALE vendor command, in which attribute QCA_WLAN_VENDOR_ATTR_TXPOWER_SCALE contains fewer than 1 byte, a buffer overrun occurs. CVE-2017-14897 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while handling the QSEOS_RPMB_CHECK_PROV_STATUS_COMMAND, a userspace buffer is directly accessed in kernel space. CVE-2017-14896 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a memory allocation without a length field validation in the mobicore driver which can result in an undersize buffer allocation. Ultimately this can result in a kernel memory over ... CVE-2017-14895 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, after a subsystem reset, iwpriv is not giving correct information. CVE-2017-14894 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, in wma_vdev_start_resp_handler(), vdev id is received from firmware as part of WMI_VDEV_START_RESP_EVENTID. This vdev id can be greater t ... CVE-2017-14893 While flashing meta image, a buffer over-read may potentially occur when the image size is smaller than the image header size or is smaller than the image header size + total image header entry in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) bef ... CVE-2017-14892 In the function msm_pcm_hw_params() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-09-19, the return value of q6asm_open_shared_io() is not checked properly potentially leading to a possible dangling pointer access. CVE-2017-14891 In the KGSL driver function _gpuobj_map_useraddr() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-10-12, the contents of the stack can get leaked due to an uninitialized variable. CVE-2017-14890 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, in the processing of an SWBA event, the vdev_map value is not properly validated leading to a potential buffer overwrite in function wma_ ... CVE-2017-14888 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Userspace can pass IEs to the host driver and if multiple append commands are received, then the integer variable that stores the length can overflow and the subsequent copy of the IE data may ... CVE-2017-14887 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the processing of messages of type eWNI_SME_MODIFY_ADDITIONAL_IES, an integer overflow leading to heap buffer overflow may potentially occur. CVE-2017-14885 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, wma_unified_link_peer_stats_event_handler function has a variable num_rates which represents the sum of all the peer_stats->num_rates. The current behavior in this function is to validate ... CVE-2017-14884 In all Qualcomm products with Android releases from CAF using the Linux kernel, due to lack of bounds checking on the variable "data_len" from the function WLANQCMBR_McProcessMsg, a buffer overflow may potentially occur in WLANFTM_McProcessMsg. CVE-2017-14883 In the function wma_unified_power_debug_stats_event_handler() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-10-18, if the value param_buf->num_debug_register received from the FW command buffer is close to max of uint32, then the computation performed using this variable to cal ... CVE-2017-14882 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing VENDOR specific action frame in the function lim_process_action_vendor_specific(), a comparison is performed with the incoming action frame body without validating if the ... CVE-2017-14881 While calling the IPA IOCTL handler for IPA_IOC_ADD_HDR_PROC_CTX in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-10-13, a use-after-free condition may potentially occur. CVE-2017-14889 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, due to the lack of a range check on the array index into the WMI descriptor pool, arbitrary address execution may potentially occur in the process mgmt completion handler. CVE-2017-15845 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, an invalid input of firmware size (negative value) from user space can potentially lead to the memory leak or buffer overflow during the WLAN cal data store operation. CVE-2017-15844 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing the function for writing device values into flash, uninitialized memory can be written to flash. CVE-2017-15843 Due to a race condition in a bus driver, a double free in msm_bus_floor_vote_context() can potentially occur in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2017-15842 Buffer might get used after it gets freed due to unlocking the mutex before freeing the buffer in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2017-15849 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a LayerStack can be destroyed in between Validate and Commit by the application resulting in a Use After Free condition. CVE-2017-15848 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the fastrpc kernel driver, a buffer overflow vulnerability from userspace may potentially exist. CVE-2017-15847 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the SPCom kernel driver, a race condition exists when creating a channel. CVE-2017-15846 In the video_ioctl2() function in the camera driver in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-09-16, an untrusted pointer dereference may potentially occur. CVE-2017-15834 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, race condition in diag_dbgfs_read_dcistats(), while accessing diag_dbgfs_dci_data_index, causes potential heap overflow. CVE-2017-15833 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, untrusted pointer dereference in update_userspace_power() function in power leads to information exposure. CVE-2017-15831 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the function wma_ndp_end_indication_event_handler(), there is no input validation check on a event_info value coming from firmware, which can cause an integer overflow and then leads to ... CVE-2017-15830 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper ch_list array index initialization in function sme_set_plm_request() causes potential buffer overflow. CVE-2017-15837 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, a policy for the packet pattern attribute NL80211_PKTPAT_OFFSET is not defined which can lead to a buffer over-read in nla_get_u32(). CVE-2017-15836 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, if the firmware sends a service ready event to the host with a large number in the num_hw_modes or num_phy, then it could result in an in ... CVE-2017-15835 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service. CVE-2017-15823 In spectral_create_samp_msg() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-10-11, some values from firmware are not properly validated potentially leading to a buffer overflow. CVE-2017-15822 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, while processing a 802.11 management frame, a buffer overflow may potentially occur. CVE-2017-15821 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the function wma_p2p_noa_event_handler(), there is no bound check on a value coming from firmware which can potentially lead to a buffer overwrite. CVE-2017-15820 In all Qualcomm products with Android releases from CAF using the Linux kernel, in a KGSL IOCTL handler, a Use After Free Condition can potentially occur. CVE-2017-15829 In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition exists in a GPU Driver which can potentially lead to a Use After Free condition. CVE-2017-15828 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while accessing the keystore in LK, an integer overflow vulnerability exists which may potentially lead to a buffer overflow. CVE-2017-15826 Due to a race condition in MDSS rotator in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-10-20, a double free vulnerability may potentially exist when two threads free the same perf structures. CVE-2017-15825 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing a gpt update, an out of bounds memory access may potentially occur. CVE-2017-15824 In Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, the function UpdateDeviceStatus() writes a local stack buffer without initialization to flash memory using WriteToPartition() which may potentially leak memo ... CVE-2017-15818 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while loading a user application in qseecom, an integer overflow could potentially occur if the application partition size is rounded up to page_size. CVE-2017-15817 In all Qualcomm products with Android releases from CAF using the Linux kernel, when an access point sends a challenge text greater than 128 bytes, the host driver is unable to validate this potentially leading to authentication failure. CVE-2017-15815 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a potential buffer overflow can happen when processing any 802.11 MGMT frames like Auth frame in limProcessAuthFrame. CVE-2017-15814 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in msm_flash_subdev_do_ioctl of drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c, there is a possible out of bounds read if flash_data.cfg_type is CFG_FLASH_INIT due to improp ... CVE-2017-15813 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a buffer overflow can occur while reading firmware logs. CVE-2017-15862 In all Qualcomm products with Android releases from CAF using the Linux kernel, in wma_unified_link_radio_stats_event_handler(), the number of radio channels coming from firmware is not properly validated, potentially leading to an integer overflow vulnerability followed by a buffer overflow. CVE-2017-15861 In all Qualcomm products with Android releases from CAF using the Linux kernel, in the function wma_roam_synch_event_handler, vdev_id is received from firmware and used to access an array without validation. CVE-2017-15860 In all Qualcomm products with Android releases from CAF using the Linux kernel, while processing an encrypted authentication management frame, a stack buffer overflow may potentially occur. CVE-2017-15856 Due to a race condition while processing the power stats debug file to read status, a double free condition can occur in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2017-15855 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provid ... CVE-2017-15854 The value of fix_param->num_chans is received from firmware and if it is too large, an integer overflow can occur in wma_radio_chan_stats_event_handler() for the derived length len leading to a subsequent buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Andr ... CVE-2017-15853 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, while processing PTT commands, ptt_sock_send_msg_to_app() is invoked without validating the packet length. If the packet length is invali ... CVE-2017-15852 Information leak of the ISPIF base address in Android for MSM, Firefox OS for MSM, and QRD Android can occur in the camera driver. CVE-2017-15851 Lack of copy_from_user and information leak in function "msm_ois_subdev_do_ioctl, file msm_ois.c can lead to a camera crash in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel CVE-2017-15850 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, userspace can read values from audio codec registers. CVE-2017-15859 While processing the QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_SCALE_DECR_DB vendor command, in which attribute QCA_WLAN_VENDOR_ATTR_TXPOWER_SCALE_DECR_DB contains fewer than 1 byte, in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-08-11 a buffer overrun occurs. CVE-2017-15857 In the camera driver, an out-of-bounds access can occur due to an error in copying region params from user space in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2017-18169 User process can perform the kernel DOS in ashmem when doing cache maintenance operation in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel. CVE-2017-18281 A bool variable in Video function, which gets typecasted to int before being read could result in an out of bound read access in all Android releases from CAF using the linux kernel CVE-2017-18159 In Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, while processing a StrHwPlatform with length smaller than EFICHIPINFO_MAX_ID_LENGTH, an array out of bounds access may occur. CVE-2017-18154 A crafted binder request can cause an arbitrary unmap in MediaServer in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2017-18158 Possible buffer overflows and array out of bounds accesses in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05 while flashing images. CVE-2017-18147 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, in MMCP, a downlink message is not being properly validated. CVE-2017-18070 In wma_ndp_end_response_event_handler(), the variable len_end_rsp is a uint32 which can be overflowed if the value of variable "event->num_ndp_end_rsp_per_ndi_list" is very large which can then lead to a heap overwrite of the heap object end_rsp in all Android releases from CAF (Android for MSM, Fir ... CVE-2017-18063 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for nlo_event in wma_nlo_match_evt_handler(), which is received from firmware, leads to potential out of bound memory access. CVE-2017-18064 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for p2p_noa_info in wma_send_bcn_buf_ll() which is received from firmware leads to potential buffer overflow. CVE-2017-18065 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for vent->vdev_id in wma_action_frame_filter_mac_event_handler(), which is received from firmware, leads to arbitrary code execution. CVE-2017-18066 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper controls in MSM CORE leads to use memory after it is freed in msm_core_ioctl(). CVE-2017-18067 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation while processing an encrypted authentication management frame in lim_send_auth_mgmt_frame() leads to buffer overflow. CVE-2017-18068 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper buffer length calculation in wma_roam_scan_filter() leads to buffer overflow. CVE-2017-18069 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper message length calculation in oem_cmd_handler() while processing a WLAN_NL_MSG_OEM netlink message leads to buffer overread. CVE-2017-18060 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for resp_event->vdev_id in wma_unified_bcntx_status_event_handler(), which is received from firmware, leads to potential out of bounds memory read. CVE-2017-18061 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, potential buffer overflow can happen when processing AOA measurement event from WIGIG firmware in wil_aoa_evt_meas(). CVE-2017-18062 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, potential buffer overflow can happen when processing UTF event in wma_process_utf_event(). CVE-2017-18052 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for cmpl_params->num_reports, param_buf->desc_ids and param_buf->status in wma_mgmt_tx_bundle_completion_handler(), which is received from firmware, leads to pote ... CVE-2017-18053 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for fix_param->vdev_id in wma_p2p_lo_event_handler(), which is received from firmware, leads to potential out of bounds memory read. CVE-2017-18054 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for num_vdev_mac_entries in wma_pdev_hw_mode_transition_evt_handler(), which is received from firmware, leads to potential buffer overflow. CVE-2017-18055 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for wmi_event->num_vdev_mac_entries in wma_pdev_set_hw_mode_resp_evt_handler(), which is received from firmware, leads to potential buffer overflow. CVE-2017-18056 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for vdev_id in wma_unified_bcntx_status_event_handler() which is received from firmware leads to potential out of bounds memory read. CVE-2017-18057 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for vdev id in wma_nlo_scan_cmp_evt_handler(), which is received from firmware, leads to potential out of bounds memory read. CVE-2017-18058 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for wow_buf_pkt_len in wma_wow_wakeup_host_event() which is received from firmware leads to potential out of bounds memory read. CVE-2017-18059 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for vdev id in wma_scan_event_callback(), which is received from firmware, leads to potential out of bounds memory read. CVE-2017-18050 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for vdev_map in wma_tbttoffset_update_event_handler(), which is received from firmware, leads to potential buffer overwrite and out of bounds memory read. CVE-2017-18051 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation for event->vdev_id in wma_rcpi_event_handler(), which is received from firmware, leads to potential out of bounds memory read. CVE-2017-17860 In Samsung Gear products, Bluetooth link key is updated to the different key which is same with attacker's link key. It can be attacked without user's intention only if attacker can reveal the Bluetooth address of target device and paired user's smartphone CVE-2017-17770 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, in a power driver ioctl handler, an Untrusted Pointer Dereference may potentially occur. CVE-2017-17771 In msm_isp_prepare_v4l2_buf in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-02-12, an array out of bounds can occur. CVE-2017-17764 In all Qualcomm products with Android releases from CAF using the Linux kernel, the num_failure_info value from firmware is not properly validated in wma_rx_aggr_failure_event_handler() so that an integer overflow vulnerability in a buffer size calculation may potentially lead to a buffer overflow. CVE-2017-17765 In all Qualcomm products with Android releases from CAF using the Linux kernel, multiple values received from firmware are not properly validated in wma_get_ll_stats_ext_buf() and are used to allocate the sizes of buffers and may be vulnerable to integer overflow leading to buffer overflow. CVE-2017-17766 In wma_peer_info_event_handler() in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-10-03, the value of num_peers received from firmware is not properly validated so that an integer overflow vulnerability in the size of a buffer allocation may potentially lead to a buffer overflow. CVE-2017-17767 In all Qualcomm products with Android releases from CAF using the Linux kernel, the IL client may free a buffer OMX Video Encoder Component and then subsequently access the already freed buffer. CVE-2017-17769 Information leakage in Android for MSM, Firefox OS for MSM, and QRD Android can occur in the audio driver. CVE-2017-6275 An information disclosure vulnerability exists in the Thermal Driver, where a missing bounds checking in the thermal driver could allow a read from an arbitrary kernel address. This issue is rated as moderate. Product: Pixel. Versions: N/A. Android ID: A-34702397. References: N-CVE-2017-6275. CVE-2017-6276 NVIDIA mediaserver contains a vulnerability where it is possible a use after free malfunction can occur due to an incorrect bounds check which could enable unauthorized code execution and possibly lead to elevation of privileges. This issue is rated as high. Product: Android. Version: N/A. Android: ... CVE-2017-6279 NVIDIA libnvmmlite_audio.so contains an elevation of privilege vulnerability when running in media server which may cause an out of bounds write and could lead to local code execution in a privileged process. This issue is rated as high. Product: Android. Version: N/A. Android: A-65023166. Reference ... CVE-2017-6274 An elevation of Privilege vulnerability exists in the Thermal Driver, where a missing bounds checks in the thermal throttle driver can cause an out-of-bounds write in the kernel. This issue is rated as moderate. Product: Pixel. Version: N/A. Android ID: A-34705801. References: N-CVE-2017-6274. CVE-2017-6288 NVIDIA libnvrm contains a possible out of bounds read due to a missing bounds check which could lead to local information disclosure. This issue is rated as moderate. Product: Android. Version: N/A. Android: A-65482562. Reference: N-CVE-2017-6288. CVE-2017-6289 In Android before the 2018-05-05 security patch level, NVIDIA Trusted Execution Environment (TEE) contains a memory corruption (due to unusual root cause) vulnerability, which if run within the speculative execution of the TEE, may lead to local escalation of privileges. This issue is rated as criti ... CVE-2017-6286 NVIDIA libnvomx contains a possible out of bounds write due to a missing bounds check which could lead to local escalation of privilege. This issue is rated as high. Product: Android. Version: N/A. Android: A-64893247. Reference: N-CVE-2017-6286. CVE-2017-6287 NVIDIA libnvrm contains a possible out of bounds read due to a missing bounds check which could lead to local information disclosure. This issue is rated as moderate.Product: Android. Version: N/A. Android: A-64893264. Reference: N-CVE-2017-6287. CVE-2017-6280 NVIDIA driver contains a possible out-of-bounds read vulnerability due to a leak which may lead to information disclosure. This issue is rated as moderate. Android: A-63851980. CVE-2017-6281 NVIDIA libnvomx contains a possible out of bounds write due to a improper input validation which could lead to local escalation of privilege. This issue is rated as high. Product: Android. Version: N/A. Android: A-66969318. Reference: N-CVE-2017-6281. CVE-2017-6284 NVIDIA Security Engine contains a vulnerability in the Deterministic Random Bit Generator (DRBG) where the DRBG does not properly initialize and store or transmits sensitive data using a weakened encryption scheme that is unable to protect sensitive data which may lead to information disclosure.This ... CVE-2017-6285 NVIDIA libnvrm contains a possible out of bounds read due to a missing bounds check which could lead to local information disclosure. This issue is rated as moderate. Product: Android. Version: N/A. Android: A-64893156. Reference: N-CVE-2017-6285. CVE-2017-6282 NVIDIA Tegra kernel driver contains a vulnerability in NVMAP where an attacker has the ability to write an arbitrary value to an arbitrary location which may lead to an escalation of privileges. This issue is rated as high. CVE-2017-6283 NVIDIA Security Engine contains a vulnerability in the RSA function where the keyslot read/write lock permissions are cleared on a chip reset which may lead to information disclosure. This issue is rated as high. CVE-2017-6292 In Android before the 2018-06-05 security patch level, NVIDIA TLZ TrustZone contains a possible out of bounds write due to integer overflow which could lead to local escalation of privilege in the TrustZone with no additional execution privileges needed. User interaction is not needed for exploitati ... CVE-2017-6290 In Android before the 2018-06-05 security patch level, NVIDIA TLK TrustZone contains a possible out of bounds write due to an integer overflow which could lead to local escalation of privilege with no additional execution privileges needed. User interaction not needed for exploitation. This issue is ... CVE-2017-6295 NVIDIA TrustZone Software contains a vulnerability in the Keymaster implementation where the software reads data past the end, or before the beginning, of the intended buffer; and may lead to denial of service or information disclosure. This issue is rated as high. CVE-2017-6296 NVIDIA TrustZone Software contains a TOCTOU issue in the DRM application which may lead to the denial of service or possible escalation of privileges. This issue is rated as moderate. CVE-2017-6293 In Android before the 2018-05-05 security patch level, NVIDIA Tegra X1 TZ contains a vulnerability in Widevine TA where the software writes data past the end, or before the beginning, of the intended buffer, which may lead to escalation of Privileges. This issue is rated as high. Android: A-69377364 ... CVE-2017-6294 In Android before the 2018-06-05 security patch level, NVIDIA Tegra X1 TZ contains a possible out of bounds write due to missing bounds check which could lead to escalation of privilege from the kernel to the TZ. User interaction is not needed for exploitation. This issue is rated as high. Version: ... CVE-2017-6426 An information disclosure vulnerability in the Qualcomm SPMI driver. Product: Android. Versions: Android kernel. Android ID: A-33644474. References: QC-CR#1106842. CVE-2017-6424 An elevation of privilege vulnerability in the Qualcomm WiFi driver. Product: Android. Versions: Android kernel. Android ID: A-32086742. References: QC-CR#1102648. CVE-2017-6425 An information disclosure vulnerability in the Qualcomm video driver. Product: Android. Versions: Android kernel. Android ID: A-32577085. References: QC-CR#1103689. CVE-2017-6423 An elevation of privilege vulnerability in the Qualcomm kyro L2 driver. Product: Android. Versions: Android kernel. Android ID: A-32831370. References: QC-CR#1103158. CVE-2017-6258 NVIDIA libnvmmlite_audio.so contains an elevation of privilege vulnerability when running in media server which may cause an out of bounds write and could lead to local code execution in a privileged process. This issue is rated as high. Product: Android. Version: N/A. Android: A-38027496. Reference ... CVE-2017-6262 NVIDIA driver contains a vulnerability where it is possible a use after free malfunction can occur due to a race condition which could enable unauthorized code execution and possibly lead to elevation of privileges. This issue is rated as high. Product: Android. Version: N/A. Android ID: A-38045794. ... CVE-2017-6263 NVIDIA driver contains a vulnerability where it is possible a use after free malfunction can occur due to improper usage of the list_for_each kernel macro which could enable unauthorized code execution and possibly lead to elevation of privileges. This issue is rated as high. Product: Android. Versi ... CVE-2017-6211 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the processing of a downlink supplementary services message, a buffer overflow can occur. CVE-2017-8258 An array out-of-bounds access in all Qualcomm products with Android releases from CAF using the Linux kernel can potentially occur in a camera driver. CVE-2017-8259 In the service locator in all Qualcomm products with Android releases from CAF using the Linux kernel, a buffer overflow can occur as the variable set for determining the size of the buffer is not used to indicate the size of the buffer. CVE-2017-8269 Userspace-controlled non null terminated parameter for IPA WAN ioctl in all Qualcomm products with Android releases from CAF using the Linux kernel can lead to exposure of kernel memory. CVE-2017-8264 A userspace process can cause a Denial of Service in the camera driver in all Qualcomm products with Android releases from CAF using the Linux kernel. CVE-2017-8279 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, missing race condition protection while updating msg mask table can lead to buffer over-read. Also access to freed memory can happen while updating msg_mask information. CVE-2017-8271 Out of bound memory write can happen in the MDSS Rotator driver in all Qualcomm products with Android releases from CAF using the Linux kernel by an unsanitized userspace-controlled parameter. CVE-2017-8273 In all Qualcomm products with Android release from CAF using the Linux kernel, while processing fastboot boot command when verified boot feature is disabled, with length greater than boot image buffer, a buffer overflow can occur. CVE-2017-7759 Android intent URLs given to Firefox for Android can be used to navigate from HTTP or HTTPS URLs to local "file:" URLs, allowing for the reading of local data through a violation of same-origin policy. Note: This attack only affects Firefox for Android. Other operating systems are not affected. This ... CVE-2017-9689 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a specially-crafted HDMI CEC message can be used to cause stack memory corruption. CVE-2017-9681 In Android before 2017-08-05 on Qualcomm MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel, if kernel memory address is passed from userspace through iris_vidioc_s_ext_ctrls ioctl, it will print kernel address data. A user could set it to an arbitrary ker ... CVE-2017-9696 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, buffer over-read is possible in camera driver function msm_isp_stop_stats_stream. Variable stream_cfg_cmd->num_streams is from userspace, and it is not checked against "MSM_ISP_STATS_MAX". CVE-2017-9698 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improperly specified offset/size values for a submission command could cause a math operation to overflow and could result in an access to arbitrary memory. The combined pointer will overf ... CVE-2017-9692 When an atomic commit is issued on a writeback panel with a NULL output_layer parameter in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-06-03, a NULL pointer dereference may potentially occur. CVE-2017-9693 The length of attribute value for STA_EXT_CAPABILITY in __wlan_hdd_change_station in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-06-06 being less than the actual lenth of StaParams.extn_capability results in a read for extra bytes when a memcpy is done from params->ext_capab to ... CVE-2017-9690 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in a qbt1000 ioctl handler, an incorrect buffer size check has an integer overflow vulnerability potentially leading to a buffer overflow. CVE-2017-9691 There is a race condition in Android for MSM, Firefox OS for MSM, and QRD Android that allows to access to already free'd memory in the debug message output functionality contained within the mobicore driver. CVE-2017-9708 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the camera driver, the function "msm_ois_power_down" is called without a mutex and a race condition can occur in variable "*reg_ptr" of sub function "msm_camera_config_single_vreg". CVE-2017-9709 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a privilege escalation vulnerability exists in telephony. CVE-2017-9704 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, There is no synchronization between msm_vb2 buffer operations which can lead to use after free. CVE-2017-9705 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, concurrent rx notifications and read() operations in the G-Link PKT driver can result in a double free condition due to missing locking resulting in list_del() and list_add() overlapping a ... CVE-2017-9700 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, buffer overwrite is possible in fw_name_store if image name is 64 characters. CVE-2017-9701 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing OEM unlock/unlock-go fastboot commands data leak may occur, resulting from writing uninitialized stack structure to non-volatile memory. CVE-2017-9702 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a user-space pointer is directly accessed in a camera driver. CVE-2017-9703 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a race condition in a Camera driver can lead to a Use After Free condition. CVE-2017-9719 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the kernel driver MDSS, a buffer overflow can occur in HDMI CEC parsing if frame size is out of range. CVE-2017-9716 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, the qbt1000 driver implements an alternative channel for usermode applications to talk to QSEE applications. CVE-2017-9718 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a race condition in a multimedia driver can potentially lead to a buffer overwrite. CVE-2017-9712 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, if userspace provides a too-large IE length in wlan_hdd_cfg80211_set_ie, a buffer over-read occurs. CVE-2017-9710 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, IOCTL interface to send QMI NOTIFY REQ messages can be called from multiple contexts which can result in buffer overflow of msg cache. CVE-2017-9722 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, when updating custom EDID (hdmi_tx_sysfs_wta_edid), if edid_size, which is controlled by userspace, is too large, a buffer overflow occurs. CVE-2017-9723 The touchscreen driver synaptics_dsx in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-06-05, the size of a stack-allocated buffer can be set to a value which exceeds the size of the stack. CVE-2017-9721 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in the boot loader, a buffer overflow can occur while parsing the splash image. CVE-2018-11260 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing a fast Initial link setup (FILS) connection request, integer overflow may lead to a buffer overflow when the key length is zero. CVE-2018-11270 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, memory allocated with devm_kzalloc is automatically released by the kernel if the probe function fails with an error code. This may result in data corruption. CVE-2018-11265 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, possible buffer overflow while incrementing the log_buf of type uint64_t in memcpy function, since the log_buf pointer can access the memory beyond the size to store the data after pointer inc ... CVE-2018-11266 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper input validation can lead to an improper access to already freed up dci client entries while closing dci client. CVE-2018-11261 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, there is a possible Use-after-free issue in Media Codec process. Any application using codec service will be affected. CVE-2018-11262 In Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel while trying to find out total number of partition via a non zero check, there could be possibility where the 'TotalPart' could cross 'GptHeader->MaxPtCnt' and which could result in OOB ... CVE-2018-11263 In all Android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel, radio_id is received from the FW and is used to access the buffer to copy the radio stats received for each radio from FW. If the radio_id received from the FW is greater than or equal to maxi ... CVE-2018-11852 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper check In the WMA API for the inputs received from the firmware and then fills the same to the host structure will lead to OOB write. CVE-2018-11851 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check on input received to calculate the buffer length can lead to out of bound write to kernel stack. CVE-2018-11868 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of length validation check for value received from firmware can lead to buffer overflow in nan response event handler. CVE-2018-11869 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of length validation check for value received from firmware can lead to buffer overflow in WMA handler. CVE-2018-11863 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check of input received from firmware to calculate the length of WMA roam synch buffer can lead to buffer overwrite during memcpy. CVE-2018-11860 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a potential buffer over flow could occur while processing the ndp event due to lack of check on the message length. CVE-2018-11836 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper length check can lead to out-of-bounds access in WLAN function. CVE-2018-11832 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of input size validation before copying to buffer in PMIC function can lead to heap overflow. CVE-2018-11842 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, during wlan association, driver allocates memory. In case the mem allocation fails driver does a mem free though the memory was not allocated. CVE-2018-11843 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack fo check on return value in WMA response handler can lead to potential use after free. CVE-2018-11840 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing the WLAN driver command ioctl a temporary buffer used to construct the reply message may be freed twice. CVE-2018-11897 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing diag event after associating to a network out of bounds read occurs if ssid of the network joined is greater than max limit. CVE-2018-11898 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing start bss request from upper layer, out of bounds read occurs if ssid length is greater than maximum. CVE-2018-11893 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing vendor scan request, when input argument - length of request IEs is greater than maximum can lead to a buffer overflow. CVE-2018-11894 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing preferred network offload scan results integer overflow may lead to buffer overflow when large frame length is received from FW. CVE-2018-11895 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper length check Validation in WLAN function can lead to driver writes the default rsn capabilities to the memory not allocated to the frame. CVE-2018-11891 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check on the length of array while accessing can lead to an out of bound read in WLAN HOST function. CVE-2018-11302 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check of input received from userspace before copying into buffer can lead to potential array overflow in WLAN. CVE-2018-11300 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, callback executed from the other thread has freed memory which is also used in wlan function and may result in to a "Use after free" scenario. CVE-2018-11301 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check on buffer length while processing debug log event from firmware can lead to an integer overflow. CVE-2018-11878 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, possibility of invalid memory access while processing driver command in WLAN function. CVE-2018-11889 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, when requesting rssi timeout, access invalid memory may occur since local variable 'context' stack data of wlan function is free. CVE-2018-11886 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check while calculating the MPDU data length will cause an integer overflow and then to buffer overflow in WLAN function. CVE-2018-11883 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, in policy mgr unit test if mode parameter in wlan function is given an out of bound value it can cause an out of bound access while accessing the PCL table. CVE-2018-11908 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /data/ which presents a potential issue. CVE-2018-11909 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /cache/ which presents a potential issue. CVE-2018-11904 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, asynchronous callbacks received a pointer to a callers local variable. Should the caller return early (e.g., timeout), the callback will dereference an invalid pointer. CVE-2018-11905 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Possible buffer overflow in WLAN function due to lack of input validation in values received from firmware. CVE-2018-11906 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, there is a security concern with default privileged access to ADB and debug-fs. CVE-2018-11907 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /firmware/ which presents a potential issue. CVE-2018-11902 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of length validation check for value received from firmware can lead to OOB access in WLAN HOST. CVE-2018-11903 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of length validation check for value received from caller function used as an array index for WMA interfaces can lead to OOB write in WLAN HOST. CVE-2018-11818 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, LUT configuration is passed down to driver from userspace via ioctl. Simultaneous update from userspace while kernel drivers are updating LUT registers can lead to race condition. CVE-2018-11827 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper validation of array index in WMA roam synchronization handler can lead to OOB write. CVE-2018-11823 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, freeing device memory in driver probe failure will result in double free issue in power module. CVE-2018-11946 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, the UPnP daemon should not be running out of box because it enables port forwarding without authentication. CVE-2018-11826 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check on integer overflow while calculating memory can lead to Buffer overflow in WLAN ext scan handler. CVE-2018-11943 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing fastboot flash command, memory leak or unexpected behavior may occur due to processing of unintialized data buffers. CVE-2018-11919 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, there is a potential heap overflow and memory corruption due to improper error handling in SOC infrastructure. CVE-2018-11918 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, memory allocated is automatically released by the kernel if the 'probe' function fails with an error code. CVE-2018-11911 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of script may lead to unprivileged access. CVE-2018-11912 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of daemons may lead to unprivileged access. CVE-2018-11913 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of dev nodes may lead to potential security issue. CVE-2018-11914 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /systemrw/ which presents a potential security. CVE-2018-11910 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /persist/ which presents a potential issue. CVE-2018-11298 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing SET_PASSPOINT_LIST vendor command HDD does not make sure that the realm string that gets passed by upper-layer is NULL terminated. This may lead to buffer overflow as strlen i ... CVE-2018-11299 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, when WLAN FW has not filled the vdev id correctly in stats events then WLAN host driver tries to access interface array without proper bound check which can lead to invalid memory access and a ... CVE-2018-11294 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, WLAN handler indication from the firmware gets the information for 4 access categories. While processing this information only the first 3 AC information is copied due to the improper conditio ... CVE-2018-11295 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, WMA handler carries a fixed event data from the firmware to the host . If the length and anqp length from this event data exceeds the max length, an OOB write would happen. CVE-2018-11296 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing a message from firmware in WLAN handler, a buffer overwrite can occur. CVE-2018-11297 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a buffer over-read can occur In the WMA NDP event handler functions due to lack of validation of input value event_info which is received from FW. CVE-2018-11280 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing user-space there is no size validation of the NAT entry input. If the user input size of the NAT entry is greater than the max allowed size, memory exhaustion will occur. CVE-2018-11281 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while calling IPA_IOC_MDFY_RT_RULE IPA IOCTL, header entry is not checked before use. If IPA_IOC_MDFY_RT_RULE IOCTL called for header entries formerly deleted, a Use after free condition will ... CVE-2018-11276 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, double free of memory allocation is possible in Kernel when it explicitly tries to free that memory on driver probe failure, since memory allocated is automatically freed on probe. CVE-2018-11278 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Venus HW searches for start code when decoding input bit stream buffers. If start code is not found in entire buffer, there is over-fetch beyond allocation length. This leads to page fault. CVE-2018-11273 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, 'voice_svc_dev' is allocated as a device-managed resource. If error 'cdev_alloc_err' occurs, 'device_destroy' will free all associated resources, including 'voice_svc_dev' leading to a double ... CVE-2018-11274 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, buffer overflow may occur when payload size is extremely large. CVE-2018-11275 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, when flashing image using FastbootLib if size is not divisible by block size, information leak occurs. CVE-2018-11293 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, in wma_ndp_confirm_event_handler and wma_ndp_indication_event_handler, ndp_cfg len and num_ndp_app_info is from fw. If they are not checked, it may cause buffer over-read once the value is too ... CVE-2018-11286 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while accessing global variable "debug_client" in multi-thread manner, Use after free issue occurs CVE-2018-11988 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Un-trusted pointer de-reference issue by accessing a variable which is already freed. CVE-2018-11984 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, A use after free condition and an out-of-bounds access can occur in the DIAG driver. CVE-2018-11985 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, When allocating heap using user supplied size, Possible heap overflow vulnerability due to integer overflow in roundup to native pointer. CVE-2018-11986 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Possible buffer overflow in TX and RX FIFOs of microcontroller in camera subsystem used to exchange commands and messages between Micro FW and CPP driver. CVE-2018-11987 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, if there is an unlikely memory alloc failure for the secure pool in boot, it can result in wrong pointer access causing kernel panic. CVE-2018-11983 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Error in kernel observed while accessing freed mask pointers after reallocating memory for mask table. CVE-2018-11956 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper mounting lead to device node and executable to be run from /dsp/ which presents a potential security issue. CVE-2018-11962 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Use-after-free issue in heap while loading audio effects config in audio effects factory. CVE-2018-11963 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Buffer overread may occur due to non-null terminated strings while processing vsprintf in camera jpeg driver. CVE-2018-11964 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Exposing the hashed content in /etc/passwd may lead to security issue. CVE-2018-11965 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Anyone can execute proptrigger.sh which will lead to change in properties. CVE-2018-11960 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, A use after free condition can occur in the SPS driver which can lead to error in kernel. CVE-2018-11961 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Possibility of accessing out of bound vector index When updating some GNSS configurations. CVE-2018-11995 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a partition name-check variable is not reset for every iteration which may cause improper termination in the META image. CVE-2018-12006 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Users with no extra privileges can potentially access leaked data due to uninitialized padding present in display function. CVE-2018-12014 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Null pointer dereference vulnerability may occur due to missing NULL assignment in NAT module of freed pointer. CVE-2018-12010 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Absence of length sanity check may lead to possible stack overflow resulting in memory corruption in trustzone region. CVE-2018-12011 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Uninitialized data for socket address leads to information exposure. CVE-2018-13889 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Heap memory was accessed after it was freed CVE-2018-13893 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Out of bound mask range access caused by using possible old value of msg mask table count while copying masks to userspace. CVE-2018-3576 improper validation of array index in WiFi driver function sapInterferenceRssiCount() leads to array out-of-bounds access in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-3577 While processing fragments, when the fragment count becomes very large, an integer overflow leading to a buffer overflow can occur in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2018-3574 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, userspace can request ION cache maintenance on a secure ION buffer for which the ION_FLAG_SECURE ion flag is not set and cause the kernel to attempt to perform cache maintenance on memory whic ... CVE-2018-3572 While processing a DSP buffer in an audio driver's event handler, an index of a buffer is not checked before accessing the buffer in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-3573 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while relocating kernel images with a specially crafted boot image, an out of bounds access can occur. CVE-2018-3570 In the cpuidle driver in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel, the list_for_each macro was not used correctly which could lead to an untrusted pointer dereference. CVE-2018-3571 In the KGSL driver in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, a Use After Free condition can occur when printing information about sparse memory allocations CVE-2018-3578 Type mismatch for ie_len can cause the WLAN driver to allocate less memory on the heap due to implicit casting leading to a heap buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-3579 In the WLAN driver in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, event->num_entries_in_page is a value received from firmware that is not properly validated which can lead to a buffer over-read CVE-2018-3587 In a firmware memory dump feature in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android), a Use After Free condition can occur. CVE-2018-3586 An integer overflow to buffer overflow vulnerability exists in the ADSPRPC heap manager in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel. CVE-2018-3584 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, a Use After Free condition can occur in the function rmnet_usb_ctrl_init(). CVE-2018-3581 In the WLAN driver in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, a buffer overwrite can occur if the vdev_id received from firmware is larger than max_bssid. CVE-2018-3582 Buffer overflow can occur due to improper input validation in multiple WMA event handler functions in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-3580 Stack-based buffer overflow can occur In the WLAN driver if the pmkid_count value is larger than the PMKIDCache size in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-3565 While sending a probe request indication in lim_send_sme_probe_req_ind() in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, a buffer overflow can occur. CVE-2018-3566 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, a buffer overwrite may occur in ProcSetReqInternal() due to missing length check. CVE-2018-3563 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, untrusted pointer dereference in apr_cb_func can lead to an arbitrary code execution. CVE-2018-3564 In the FastRPC driver in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, a Use After Free condition can occur when mapping on the remote processor fails. CVE-2018-3561 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a race condition in diag_ioctl_lsm_deinit() leads to a Use After Free condition. CVE-2018-3562 Buffer over -read can occur while processing a FILS authentication frame in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-3560 In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a Double Free vulnerability exists in Audio Driver while opening a sound compression device. CVE-2018-3569 A buffer over-read can occur during a fast initial link setup (FILS) connection in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2018-3567 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages. CVE-2018-3568 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur. CVE-2018-3598 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, insufficient validation of parameters from userspace in the camera driver can lead to information leak and out-of-bounds access. CVE-2018-3599 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, while notifying a DCI client, a Use After Free condition can occur. CVE-2018-3596 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, legacy code vulnerable after migration has been removed. CVE-2018-3597 In the ADSP RPC driver in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, an arbitrary kernel write can occur. CVE-2018-5832 Due to a race condition in a camera driver ioctl handler in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, a Use After Free condition can occur. CVE-2018-5831 In the KGSL driver in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, a reference counting error can lead to a Use After Free condition. CVE-2018-5830 While processing the HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND message, a buffer overflow can potentially occur in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2018-5836 In wma_nan_rsp_event_handler() in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, the data_len value is received from firmware and not properly validated which could potentially lead to an out-of-bounds acces ... CVE-2018-5835 If the seq_len is greater then CSR_MAX_RSC_LEN, a buffer overflow in __wlan_hdd_cfg80211_add_key() may occur when copying keyRSC in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2018-5834 In __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2018-5843 In the function wma_pdev_div_info_evt_handler() in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, there is no upper bound check on the value event->num_chains_valid received from firmware which can lead to a buffer overwrite of the fixed size ... CVE-2018-5842 An arbitrary address write can occur if a compromised WLAN firmware sends incorrect data to WLAN driver in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-5841 dcc_curr_list is initialized with a default invalid value that is expected to be programmed by the user through a sysfs node which could lead to an invalid access in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-5840 Buffer Copy without Checking Size of Input can occur during the DRM SDE driver initialization sequence in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-5849 Due to a race condition in the QTEECOM driver in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, when more than one HLOS client loads the same TA, a Use After Free condition can occur. CVE-2018-5847 Early or late retirement of rotation requests can result in a Use After Free condition in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-5846 A Use After Free condition can occur in the IPA driver whenever the IPA IOCTLs IPA_IOC_NOTIFY_WAN_UPSTREAM_ROUTE_ADD/IPA_IOC_NOTIFY_WAN_UPSTREAM_ROUTE_DEL/IPA_IOC_NOTIFY_WAN_EMBMS_CONNECTED are called in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux ... CVE-2018-5845 A race condition in drm_atomic_nonblocking_commit() in the display driver can potentially lead to a Use After Free scenario in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-5844 In the video driver function set_output_buffers(), binfo can be accessed after being freed in a failure scenario in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-5821 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, in function wma_wow_wakeup_host_event(), wake_info->vdev_id is received from FW and is used directly as array index to access wma->interf ... CVE-2018-5820 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, in the function wma_tbttoffset_update_event_handler(), a parameter received from firmware is used to allocate memory for a local buffer a ... CVE-2018-5829 In wlan_hdd_cfg80211_set_privacy_ibss() in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, a buffer over-read can potentially occur. CVE-2018-5828 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, in function wma_extscan_start_stop_event_handler(), vdev_id comes from the variable event from firmware and is not properly validated pot ... CVE-2018-5827 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event. CVE-2018-5826 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, due to a race condition, a Use After Free condition can occur in the WLAN driver. CVE-2018-5825 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, in the kernel IPA driver, a Use After Free condition can occur. CVE-2018-5824 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, while processing HTT_T2H_MSG_TYPE_RX_FLUSH or HTT_T2H_MSG_TYPE_RX_PN_IND messages, a buffer overflow can occur if the tid value obtained ... CVE-2018-5823 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, improper buffer length validation in extscan hotlist event can lead to potential buffer overflow. CVE-2018-5822 In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, compromised WLAN FW can potentially cause a buffer overwrite. CVE-2018-5872 While parsing over-the-air information elements in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05, the use of an out-of-range pointer offset can occur. CVE-2018-5887 While processing the USB StrSerialDescriptor array, an array index out of bounds can occur in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2018-5886 A pointer in an ADSPRPC command is not properly validated in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android), which can lead to kernel memory being accessed. CVE-2018-5889 While processing a compressed kernel image, a buffer overflow can occur in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2018-5888 While processing the system path, an out of bounds access can occur in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2018-5854 A stack-based buffer overflow can occur in fastboot from all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel. CVE-2018-5853 A race condition exists in a driver in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-05-05 potentially leading to a use-after-free condition. CVE-2018-5851 Buffer over flow can occur while processing a HTT_T2H_MSG_TYPE_TX_COMPL_IND message with an out-of-range num_msdus value in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-5850 In the function csr_update_fils_params_rso(), insufficient validation on a key length can result in an integer underflow leading to a buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-5859 Due to a race condition in the MDSS MDP driver in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05, a Use After Free condition can occur. CVE-2018-5858 In the audio debugfs in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05, out of bounds access can occur. CVE-2018-5857 In the WCD CPE codec, a Use After Free condition can occur in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel. CVE-2018-5856 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, due to a race condition, a Use After Free condition can occur in Audio. CVE-2018-5855 While padding or shrinking a nested wmi packet in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05, a buffer over-read can potentially occur. CVE-2018-5865 While processing a debug log event from firmware in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05, an integer underflow and/or buffer over-read can occur. CVE-2018-5864 While processing a WMI_APFIND event in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05, a buffer over-read and information leak can potentially occur. CVE-2018-5863 If userspace provides a too-large WPA RSN IE length in wlan_hdd_cfg80211_set_ie(), a buffer overflow occurs in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel. CVE-2018-5862 In __wlan_hdd_cfg80211_vendor_scan() in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05, when SCAN_SSIDS and QCA_WLAN_VENDOR_ATTR_SCAN_FREQUENCIES are parsed, a buffer overwrite can potentially occur. CVE-2018-5861 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, existing checks in place on partition size are incomplete and can lead to heap overwrite vulnerabilities while loading a secure application from the boot loader. CVE-2018-5860 In the MDSS driver in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel, a data structure may be used without being initialized correctly. CVE-2018-5898 Integer overflow can occur in msm_pcm_adsp_stream_cmd_put() function if the user supplied data "param_length" goes beyond certain limit in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2018-5897 While reading the data from buffer in dci_process_ctrl_status() there can be buffer over-read problem if the len is not checked correctly in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2018-5896 In Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, kernel panic may happen due to out-of-bound read, caused by not checking source buffer length against length of packet stream to be copied. CVE-2018-5895 Buffer over-read may happen in wma_process_utf_event() due to improper buffer length validation before writing into param_buf->num_wow_packet_buffer in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2018-5893 While processing a message from firmware in htt_t2h_msg_handler_fast() in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, a buffer overwrite can occur. CVE-2018-5890 If the fdt_totalsize is reported as 0 for the current device tree, it bypasses an error check for a valid device tree in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. CVE-2018-5899 In Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, whenever TDLS connection is setup, we are freeing the netbuf in ol_tx_completion_handler and after that, we are accessing it in NBUF_UPDATE_TX_PKT_COUNT caus ... CVE-2018-6243 NVIDIA Tegra TLK Widevine Trust Application contains a vulnerability in which missing the input parameter checking of video metadata count may lead to Arbitrary Code Execution, Denial of Service or Escalation of Privileges. Android ID: A-72315075. Severity Rating: High. Version: N/A. CVE-2018-6241 NVIDIA Tegra Gralloc module contains a vulnerability in driver in which it does not validate input parameter of the registerbuffer API, which may lead to arbitrary code execution, denial of service, or escalation of privileges. Android ID: A-62540032 Severity Rating: High Version: N/A. CVE-2018-6268 NVIDIA Tegra library contains a vulnerability in libnvmmlite_video.so, where referencing memory after it has been freed may lead to denial of service or possible escalation of privileges. Android ID: A-80433161. CVE-2018-6267 NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which the software does not validate or incorrectly validates input that can affect the control flow or data flow of a program, which may lead to denial of service or escalation of privileges. Android ID: A-70857947. CVE-2018-6271 NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which the software delivers extra data with the buffer and does not properly validated the extra data, which may lead to denial of service or escalation of privileges. Android ID: A-80198474. CVE-2018-5919 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a use after free issue in WLAN host driver can lead to device reboot. CVE-2018-5910 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a memory corruption can occur in kernel due to improper check in callers count parameter in display handlers. CVE-2018-5909 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, buffer overflow occur may occur in display handlers due to lack of checking in buffer size before copying into it and will lead to memory corruption. CVE-2018-5908 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, there is a possible buffer overflow in display function due to lack of buffer length validation before copying. CVE-2018-5906 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, there is a possible buffer overflow in debugfs module due to lack of check in size of input before copying into buffer. CVE-2018-5905 In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a race condition while accessing num of clients in DIAG services can lead to out of boundary access. CVE-2018-5904 In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while list traversal in LPM status driver for clean up, use after free vulnerability may occur. CVE-2018-9519 In easelcomm_hw_build_scatterlist, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System privileges required. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-69808833. CVE-2018-9513 In copy_process of fork.c, there is possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-111081202 Ref ... CVE-2018-9514 In sdcardfs_open of file.c, there is a possible Use After Free due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-11164 ... CVE-2018-9515 In sdcardfs_create and sdcardfs_mkdir of inode.c, there is a possible memory corruption due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel ... CVE-2018-9567 On Pixel devices there is a bug causing verified boot to show the same certificate fingerprint despite using different signing keys. This may lead to local escalation of privilege if people are relying on those fingerprints to determine what version of the OS the device is running, with System execu ... CVE-2018-9580 A Elevation of privilege vulnerability in the HTC bootloader. Product: Android. Versions: Android kernel. Android ID: A-76222002. CVE-2018-9465 In task_get_unused_fd_flags of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ... CVE-2015-1527 Integer overflow in IAudioPolicyService.cpp in Android allows local users to gain privileges via a crafted application, aka Android Bug ID 19261727. CVE-2015-3830 The stock Android browser address bar in all Android operating systems suffers from Address Bar Spoofing, which allows remote attackers to trick a victim by displaying a malicious page for legitimate domain names. CVE-2015-9010 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36393101. CVE-2015-9011 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36714882. CVE-2015-9014 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36393750. CVE-2015-9015 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36714120. CVE-2015-9012 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36384691. CVE-2015-9013 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36393251. CVE-2015-9009 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36393600. CVE-2015-9007 In TrustZone in all Android releases from CAF using the Linux kernel, a Double Free vulnerability could potentially exist. CVE-2015-9008 An elevation of privilege vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-36384689. CVE-2015-9005 In TrustZone in all Android releases from CAF using the Linux kernel, an Integer Overflow to Buffer Overflow vulnerability could potentially exist. CVE-2015-9006 In Resource Power Manager (RPM) in all Android releases from CAF using the Linux kernel, an Improper Access Control vulnerability could potentially exist. CVE-2019-2000 In several functions of binder.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-1 ... CVE-2019-2001 The permissions on /proc/iomem were world-readable. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-117422211. CVE-2019-2025 In binder_thread_read of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroi ... CVE-2017-13167 An elevation of privilege vulnerability in the kernel sound timer. Product: Android. Versions: Android kernel. Android ID A-37240993. CVE-2018-5873 An issue was discovered in the __ns_get_path function in fs/nsfs.c in the Linux kernel before 4.11. Due to a race condition when accessing files, a Use After Free condition can occur. This also affects all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD And ... CVE-2018-9518 In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel ... CVE-2018-9568 In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-1135093 ... CVE-2018-9415 In driver_override_store and driver_override_show of bus.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel An ... CVE-2018-9363 In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kern ... CVE-2018-9385 In driver_override_store of bus.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID ... CVE-2019-2054 In the seccomp implementation prior to kernel version 4.8, there is a possible seccomp bypass due to seccomp policies that allow the use of ptrace. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Produc ... CVE-2019-1999 In binder_alloc_free_page of binder_alloc.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android ke ... CVE-2019-2101 In uvc_parse_standard_control of uvc_driver.c, there is a possible out-of-bound read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android ... CVE-2019-2024 In em28xx_unregister_dvb of em28xx-dvb.c, there is a possible use after free issue. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-111761954Referenc ... CVE-2018-9422 In get_futex_key of futex.c, there is a use-after-free due to improper locking. This could lead to local escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-74250718 References: Upstrea ... CVE-2017-0861 Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors. CVE-2017-13305 A information disclosure vulnerability in the Upstream kernel encrypted-keys. Product: Android. Versions: Android kernel. Android ID: A-70526974. CVE-2017-13220 An elevation of privilege vulnerability in the Upstream kernel bluez. Product: Android. Versions: Android kernel. Android ID: A-63527053. CVE-2017-13215 A elevation of privilege vulnerability in the Upstream kernel skcipher. Product: Android. Versions: Android kernel. Android ID: A-64386293. References: Upstream kernel. CVE-2017-11089 In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a buffer overread is observed in nl80211_set_station when user space application sends attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE with data of size less than 4 bytes CVE-2017-13168 An elevation of privilege vulnerability in the kernel scsi driver. Product: Android. Versions: Android kernel. Android ID A-65023233. CVE-2017-13166 An elevation of privilege vulnerability in the kernel v4l2 video driver. Product: Android. Versions: Android kernel. Android ID A-34624167. CVE-2018-5848 In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVE-2018-9516 In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android ke ... CVE-2018-9517 In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. CVE-2015-9016 In blk_mq_tag_to_rq in blk-mq.c in the upstream kernel, there is a possible use after free due to a race condition when a request has been previously freed by blk_mq_complete_request. This could lead to local escalation of privilege. Product: Android. Versions: Android kernel. Android ID: A-63083046 ... |