Qualcomm ≫ Snapdragon X75 5g Modem-rf System Firmware

Memory corruption when invalid length is provided from HLOS for FRS/UDS request/response buffers.

Transient DOS while parsing the multi-link element Control field when common information length check is missing before updating the location.

Memory corruption when two threads try to map and unmap a single node simultaneously.

Memory corruption while processing concurrent IOCTL calls.

Transient DOS while parsing the received TID-to-link mapping element of beacon/probe response frame.

Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper.

Cryptographic issue while parsing RSA keys in COBR format.

Transient DOS when processing the non-transmitted BSSID profile sub-elements present within the MBSSID Information Element (IE) of a beacon frame that is received from over-the-air (OTA).

memory corruption when an invalid firehose patch command is invoked.

Transient DOS when registration accept OTA is received with incorrect ciphering key data IE in Modem.