CVE-2022-40514 — CVSS 9.8 (critical): Memory corruption due to buffer copy without checking the size of input in WLAN Firmware while processing CCKM IE in reassoc response frame.
CVE-2022-33232 — CVSS 9.3 (critical): Memory corruption due to buffer copy without checking size of input while running memory sharing tests with large scattered memory.
CVE-2022-33257 — CVSS 9.3 (critical): Memory corruption in Core due to time-of-check time-of-use race condition during dump collection in trust zone.
CVE-2022-33288 — CVSS 9.3 (critical): Memory corruption due to buffer copy without checking the size of input in Core while sending SCM command to get write protection…
CVE-2023-43520 — CVSS 8.6 (high): Memory corruption when AP includes TID to link mapping IE in the beacons and STA is parsing the beacon TID to link mapping IE.
CVE-2023-43534 — CVSS 8.6 (high): Memory corruption while validating the TID to Link Mapping action request frame, when a station connects to an access point.
CVE-2024-33034 — CVSS 8.4 (high): Memory corruption can occur if VBOs hold outdated or invalid GPU SMMU mappings, especially when the binding and reclaiming of memory…
CVE-2024-33035 — CVSS 8.4 (high): Memory corruption while calculating total metadata size when a very high reserved size is requested by gralloc clients.
CVE-2022-33307 — CVSS 8.4 (high): Memory Corruption due to double free in automotive when a bad HLOS address for one of the lists to be mapped is passed.
CVE-2022-33287 — CVSS 8.2 (high): Information disclosure in Modem due to buffer over-read while getting length of Unfragmented headers in an IPv6 packet.
CVE-2022-33291 — CVSS 8.2 (high): Information disclosure in Modem due to buffer over-read while receiving a IP header with malformed length.
CVE-2022-25732 — CVSS 8.2 (high): Information disclosure in modem due to buffer over read in dns client due to missing length check
CVE-2022-25726 — CVSS 8.2 (high): Information disclosure in modem data due to array out of bound access while handling the incoming DNS response packet
CVE-2022-25728 — CVSS 8.2 (high): Information disclosure in modem due to buffer over-read while processing response from DNS server
CVE-2022-25738 — CVSS 8.2 (high): Information disclosure in modem due to buffer over-red while performing checksum of packet received
CVE-2022-25730 — CVSS 8.2 (high): Information disclosure in modem due to improper check of IP type while processing DNS server query
CVE-2024-53011 — CVSS 7.9 (high): Information disclosure may occur due to improper permission and access controls to Video Analytics engine.
CVE-2024-45557 — CVSS 7.8 (high): Memory corruption can occur when TME processes addresses from TZ and MPSS requests without proper validation.
CVE-2022-33278 — CVSS 7.8 (high): Memory corruption due to buffer copy without checking the size of input in HLOS when input message size is larger than the buffer capacity.
CVE-2025-27061 — CVSS 7.8 (high): Memory corruption whhile handling the subsystem failure memory during the parsing of video packets received from the video firmware.
CVE-2024-45553 — CVSS 7.8 (high): Memory corruption can occur when process-specific maps are added to the global list. If a map is removed from the global list while another…
CVE-2023-43550 — CVSS 7.8 (high): Memory corruption while processing a QMI request for allocating memory from a DHMS supported subsystem.
CVE-2025-47398 — CVSS 7.8 (high): Memory Corruption while deallocating graphics processing unit memory buffers due to improper handling of memory pointers.
CVE-2023-21670 — CVSS 7.8 (high): Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode.
CVE-2023-33110 — CVSS 7.8 (high): The session index variable in PCM host voice audio driver initialized before PCM open, accessed during event callback from ADSP and reset…
CVE-2022-33242 — CVSS 7.8 (high): Memory corruption due to improper authentication in Qualcomm IPC while loading unsigned lib in audio PD.
CVE-2023-33115 — CVSS 7.8 (high): Memory corruption while processing buffer initialization, when trusted report for certain report types are generated.
CVE-2025-47323 — CVSS 7.8 (high): Memory corruption while routing GPR packets between user and root when handling large data packet.
CVE-2023-43513 — CVSS 7.8 (high): Memory corruption while processing the event ring, the context read pointer is untrusted to HLOS and when it is passed with arbitrary…
CVE-2025-27032 — CVSS 7.8 (high): memory corruption while loading a PIL authenticated VM, when authenticated VM image is loaded without maintaining cache coherency.
CVE-2024-49841 — CVSS 7.8 (high): Memory corruption during memory assignment to headless peripheral VM due to incorrect error code handling.
CVE-2024-49842 — CVSS 7.8 (high): Memory corruption during memory mapping into protected VM address space due to incorrect API restrictions.
CVE-2025-21468 — CVSS 7.8 (high): Memory corruption while reading response from FW, when buffer size is changed by FW while driver is using this size to write null character…
CVE-2024-21475 — CVSS 7.8 (high): Memory corruption when the payload received from firmware is not as per the expected protocol size.
CVE-2022-25735 — CVSS 7.5 (high): Denial of service in modem due to missing null check while processing TCP or UDP packets from server
CVE-2022-25739 — CVSS 7.5 (high): Denial of service in modem due to missing null check while processing the ipv6 packet received during ECM call
CVE-2022-33304 — CVSS 7.5 (high): Transient DOS due to NULL pointer dereference in Modem while performing pullup for received TCP/UDP packet.
CVE-2022-33306 — CVSS 7.5 (high): Transient DOS due to buffer over-read in WLAN while processing an incoming management frame with incorrectly filled IEs.
CVE-2022-33309 — CVSS 7.5 (high): Transient DOS due to buffer over-read in WLAN Firmware while parsing secure FTMR frame with size lesser than 39 Bytes.
CVE-2022-34146 — CVSS 7.5 (high): Transient DOS due to improper input validation in WLAN Host while parsing frame during defragmentation.
CVE-2023-28584 — CVSS 7.5 (high): Transient DOS in WLAN Host when a mobile station receives invalid channel in CSA IE while doing channel switch announcement (CSA).
CVE-2023-33112 — CVSS 7.5 (high): Transient DOS when WLAN firmware receives "reassoc response" frame including RIC_DATA element.
CVE-2023-43511 — CVSS 7.5 (high): Transient DOS while parsing IPv6 extension header when WLAN firmware receives an IPv6 packet that contains `IPPROTO_NONE` as the next…
CVE-2024-23363 — CVSS 7.5 (high): Transient DOS while processing an improperly formatted Fine Time Measurement (FTM) management frame.
CVE-2024-23364 — CVSS 7.5 (high): Transient DOS when processing the non-transmitted BSSID profile sub-elements present within the MBSSID Information Element (IE) of a beacon…
CVE-2024-33011 — CVSS 7.5 (high): Transient DOS while parsing the MBSSID IE from the beacons, when the MBSSID IE length is zero.
CVE-2024-33012 — CVSS 7.5 (high): Transient DOS while parsing the multiple MBSSID IEs from the beacon, when the tag length is non-zero value but with end of beacon.
CVE-2024-33013 — CVSS 7.5 (high): Transient DOS when driver accesses the ML IE memory and offset value is incremented beyond ML IE length.
CVE-2024-33015 — CVSS 7.5 (high): Transient DOS while parsing SCAN RNR IE when bytes received from AP is such that the size of the last param of IE is less than neighbor…
CVE-2024-33018 — CVSS 7.5 (high): Transient DOS while parsing the received TID-to-link mapping element of the TID-to-link mapping action frame.
CVE-2024-33024 — CVSS 7.5 (high): Transient DOS while parsing the ML IE when a beacon with length field inside the common info of ML IE greater than the ML IE length.
CVE-2024-33025 — CVSS 7.5 (high): Transient DOS while parsing the BSS parameter change count or MLD capabilities fields of the ML IE.
CVE-2024-33026 — CVSS 7.5 (high): Transient DOS while parsing probe response and assoc response frame when received frame length is less than max size of timestamp.
CVE-2024-33048 — CVSS 7.5 (high): Transient DOS while parsing the received TID-to-link mapping element of beacon/probe response frame.
CVE-2024-33050 — CVSS 7.5 (high): Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper.