Memory corruption in WLAN HAL while processing devIndex from untrusted WMI payload.

Memory corruption in WLAN FW while processing command parameters from untrusted WMI payload.

Memory corruption in WLAN handler while processing PhyID in Tx status handler.

Memory corruption in WLAN HAL while processing command parameters from untrusted WMI payload.

Memory corruption in WLAN HAL while parsing Rx buffer in processing TLV payload.

Memory corruption in WLAN HAL while processing Tx/Rx commands from QDART.

Memory corruption in WLAN while sending transmit command from HLOS to UTF handlers.

Memory corruption in WIN Product while invoking WinAcpi update driver in the UEFI region.

Transient DOS in Bluetooth HOST while passing descriptor to validate the blacklisted BT keyboard.

Memory Corruption in Core Platform while printing the response buffer in log.

Memory corruption in Core Platform while printing the response buffer in log.

Memory corruption in Audio while validating and mapping metadata.

Memory corruption in Audio during playback session with audio effects enabled.

Transient DOS in Modem while processing invalid System Information Block 1.

Memory corruption in RIL due to Integer Overflow while triggering qcril_uim_request_apdu request.

Memory Corruption due to improper validation of array index in Linux while updating adn record.

Memory corruption due to buffer over-read in Modem while processing SetNativeHandle RTP service.

Memory corruption due to improper validation of array index in WLAN HAL when received lm_itemNum is out of range.

Information disclosure in Automotive multimedia due to buffer over-read.

In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use, another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address.