Qualcomm ≫ Snapdragon 8 Gen 3 Firmware

Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper.

Transient DOS while processing TIM IE from beacon frame as there is no check for IE length.

Memory corruption while passing untrusted/corrupted pointers from DSP to EVA.

Memory corruption when Alternative Frequency offset value is set to 255.

Memory corruption when BTFM client sends new messages over Slimbus to ADSP.