Qualcomm ≫ Qca6688aq Firmware

Memory corruption as fence object may still be accessed in timeline destruct after isync fence is released.

Memory corruption can occur if VBOs hold outdated or invalid GPU SMMU mappings, especially when the binding and reclaiming of memory buffers are performed at the same time.

Transient DOS while parsing the ML IE when a beacon with length field inside the common info of ML IE greater than the ML IE length.

Transient DOS while parsing the BSS parameter change count or MLD capabilities fields of the ML IE.

Transient DOS while parsing probe response and assoc response frame when received frame length is less than max size of timestamp.

Transient DOS while processing TID-to-link mapping IE elements.

Memory corruption while processing IOCTL call to set metainfo.

Transient DOS while parsing SCAN RNR IE when bytes received from AP is such that the size of the last param of IE is less than neighbor report.

Transient DOS while parsing the received TID-to-link mapping element of the TID-to-link mapping action frame.

Transient DOS while parsing the received TID-to-link mapping action frame.