CVE-2022-40514 — CVSS 9.8 (critical): Memory corruption due to buffer copy without checking the size of input in WLAN Firmware while processing CCKM IE in reassoc response frame.
CVE-2025-47372 — CVSS 9.0 (critical): Memory Corruption when a corrupted ELF image with an oversized file size is read into a buffer without authentication.
CVE-2024-33034 — CVSS 8.4 (high): Memory corruption can occur if VBOs hold outdated or invalid GPU SMMU mappings, especially when the binding and reclaiming of memory…
CVE-2024-33028 — CVSS 8.4 (high): Memory corruption as fence object may still be accessed in timeline destruct after isync fence is released.
CVE-2024-33023 — CVSS 8.4 (high): Memory corruption while creating a fence to wait on timeline events, and simultaneously signal timeline events.
CVE-2025-21487 — CVSS 8.2 (high): Information disclosure while decoding RTP packet received by UE from the network, when payload length mentioned is greater than the…
CVE-2024-33073 — CVSS 8.2 (high): Information disclosure while parsing the BSS parameter change count or MLD capabilities fields of the ML IE.
CVE-2024-53026 — CVSS 8.2 (high): Information disclosure when an invalid RTCP packet is received during a VoLTE/VoWiFi IMS call.
CVE-2025-21484 — CVSS 8.2 (high): Information disclosure when UE receives the RTP packet from the network, while decoding and reassembling the fragments from RTP packet.
CVE-2024-38408 — CVSS 8.2 (high): Cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions.
CVE-2025-47357 — CVSS 8.0 (high): Information Disclosure when a user-level driver performs QFPROM read or write operations on Fuse regions.
CVE-2023-28587 — CVSS 7.8 (high): Memory corruption in BT controller while parsing debug commands with specific sub-opcodes at HCI interface level.
CVE-2023-33115 — CVSS 7.8 (high): Memory corruption while processing buffer initialization, when trusted report for certain report types are generated.
CVE-2024-21475 — CVSS 7.8 (high): Memory corruption when the payload received from firmware is not as per the expected protocol size.
CVE-2024-45564 — CVSS 7.8 (high): Memory corruption during concurrent access to server info object due to incorrect reference count update.
CVE-2024-45571 — CVSS 7.8 (high): Memory corruption may occour occur when stopping the WLAN interface after processing a WMI command from the interface.
CVE-2024-45584 — CVSS 7.8 (high): Memory corruption can occur when a compat IOCTL call is followed by a normal IOCTL call from userspace.
CVE-2025-21453 — CVSS 7.8 (high): Memory corruption while processing a data structure, when an iterator is accessed after it has been removed, potential failures occur.
CVE-2025-27032 — CVSS 7.8 (high): memory corruption while loading a PIL authenticated VM, when authenticated VM image is loaded without maintaining cache coherency.
CVE-2025-27061 — CVSS 7.8 (high): Memory corruption whhile handling the subsystem failure memory during the parsing of video packets received from the video firmware.
CVE-2025-47377 — CVSS 7.8 (high): Memory Corruption when accessing a buffer after it has been freed while processing IOCTL calls.
CVE-2025-47379 — CVSS 7.8 (high): Memory Corruption when concurrent access to shared buffer occurs due to improper synchronization between assignment and deallocation of…
CVE-2025-47397 — CVSS 7.8 (high): Memory Corruption when initiating GPU memory mapping using scatter-gather lists due to unchecked IOMMU mapping errors.
CVE-2025-47398 — CVSS 7.8 (high): Memory Corruption while deallocating graphics processing unit memory buffers due to improper handling of memory pointers.
CVE-2025-59604 — CVSS 7.8 (high): Memory Corruption when running a memory copy operation due to invalid writes caused by a null pointer.
CVE-2025-59606 — CVSS 7.8 (high): Memory Corruption when writing to invalid memory locations occurs due to heap memory exhaustion during secure data initialization.
CVE-2024-33024 — CVSS 7.5 (high): Transient DOS while parsing the ML IE when a beacon with length field inside the common info of ML IE greater than the ML IE length.
CVE-2024-33025 — CVSS 7.5 (high): Transient DOS while parsing the BSS parameter change count or MLD capabilities fields of the ML IE.
CVE-2024-33026 — CVSS 7.5 (high): Transient DOS while parsing probe response and assoc response frame when received frame length is less than max size of timestamp.
CVE-2025-21446 — CVSS 7.5 (high): Transient DOS may occur when processing vendor-specific information elements while parsing a WLAN frame for BTM requests.
CVE-2023-43511 — CVSS 7.5 (high): Transient DOS while parsing IPv6 extension header when WLAN firmware receives an IPv6 packet that contains `IPPROTO_NONE` as the next…
CVE-2024-33069 — CVSS 7.5 (high): Transient DOS when transmission of management frame sent by host is not successful and error status is received in the host.
CVE-2024-33063 — CVSS 7.5 (high): Transient DOS while parsing the ML IE when a beacon with common info length of the ML IE greater than the ML IE inside which this element…
CVE-2022-33306 — CVSS 7.5 (high): Transient DOS due to buffer over-read in WLAN while processing an incoming management frame with incorrectly filled IEs.
CVE-2024-23364 — CVSS 7.5 (high): Transient DOS when processing the non-transmitted BSSID profile sub-elements present within the MBSSID Information Element (IE) of a beacon…
CVE-2024-33057 — CVSS 7.5 (high): Transient DOS while parsing the multi-link element Control field when common information length check is missing before updating the…
CVE-2024-33011 — CVSS 7.5 (high): Transient DOS while parsing the MBSSID IE from the beacons, when the MBSSID IE length is zero.
CVE-2024-33012 — CVSS 7.5 (high): Transient DOS while parsing the multiple MBSSID IEs from the beacon, when the tag length is non-zero value but with end of beacon.
CVE-2024-33013 — CVSS 7.5 (high): Transient DOS when driver accesses the ML IE memory and offset value is incremented beyond ML IE length.
CVE-2024-33015 — CVSS 7.5 (high): Transient DOS while parsing SCAN RNR IE when bytes received from AP is such that the size of the last param of IE is less than neighbor…
CVE-2024-33018 — CVSS 7.5 (high): Transient DOS while parsing the received TID-to-link mapping element of the TID-to-link mapping action frame.
CVE-2023-43533 — CVSS 7.5 (high): Transient DOS in WLAN Firmware when the length of received beacon is less than length of ieee802.11 beacon frame.
CVE-2024-33048 — CVSS 7.5 (high): Transient DOS while parsing the received TID-to-link mapping element of beacon/probe response frame.
CVE-2024-33049 — CVSS 7.5 (high): Transient DOS while parsing noninheritance IE of Extension element when length of IE is 2 of beacon frame.
CVE-2024-33050 — CVSS 7.5 (high): Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper.
CVE-2024-45558 — CVSS 7.5 (high): Transient DOS can occur when the driver parses the per STA profile IE and tries to access the EXTN element ID without checking the IE…