The cam_get_device_priv function does not check the type of handle being returned (device/session/link). This would lead to invalid type usage if a wrong handle is passed to it.

Transient DOS in Audio while remapping channel buffer in media codec decoding.

Memory corruption while allocating memory in COmxApeDec module in Audio.

Memory Corruption in Audio while playing amrwbplus clips with modified content.

Memory Corruption in Core due to incorrect type conversion or cast in secure_io_read/write function in TEE.

Memory corruption in WLAN while running doDriverCmd for an unspecific command.

Memory corruption in RIL while trying to send apdu packet.

Cryptographic issue in HLOS due to improper authentication while performing key velocity checks using more than one key.

Memory corruption due to buffer copy without checking size of input in Audio while voice call with EVS vocoder.

Memory Corruption in WLAN HOST while fetching TX status information.

Memory Corruption in Data Modem while processing DMA buffer release event about CFR data.

Memory Corruption in Audio while allocating the ion buffer during the music playback.

Arbitrary memory overwrite when VM gets compromised in TX write leading to Memory Corruption.

Memory Corruption in WLAN HOST while processing WLAN FW request to allocate memory.

Memory corruption in Linux while calling system configuration APIs.

Memory Corruption in Linux while processing QcRilRequestImsRegisterMultiIdentityMessage request.

Weak Configuration due to improper input validation in Modem while processing LTE security mode command message received from network.

Memory Corruption in Modem due to double free while parsing the PKCS15 sim files.

Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode.

Information Disclosure in WLAN HOST while sending DPP action frame to peer with an invalid source address.