Qualcomm ≫ Wcd9370 Firmware

Memory corruption while invoking IOCTL command from user-space, when a user modifies the original packet size of the command after system properties have been already sent to the EVA driver.

Transient DOS as modem reset occurs when an unexpected MAC RAR (with invalid PDU length) is seen at UE.

Memory corruption while maintaining memory maps of HLOS memory.

Transient DOS while parsing probe response and assoc response frame.

Memory corruption while processing user packets to generate page faults.

Information disclosure while parsing the BSS parameter change count or MLD capabilities fields of the ML IE.

Transient DOS while parsing noninheritance IE of Extension element when length of IE is 2 of beacon frame.

Memory corruption while taking snapshot when an offset variable is set by camera driver.

Memory corruption when a compat IOCTL call is followed by another IOCTL call from userspace to a driver.

Memory corruption when invalid length is provided from HLOS for FRS/UDS request/response buffers.