Cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions.

Memory corruption while processing input parameters for any IOCTL call in the JPEG Encoder driver.

Memory corruption while handling IOCTL calls in JPEG Encoder driver.

Memory corruption when the user application modifies the same shared memory asynchronously when kernel is accessing it.

Transient DOS as modem reset occurs when an unexpected MAC RAR (with invalid PDU length) is seen at UE.

Memory corruption while taking snapshot when an offset variable is set by camera driver.

Memory corruption when invalid length is provided from HLOS for FRS/UDS request/response buffers.

Memory corruption while processing IOCTL call for getting group info.

Memory corruption when two threads try to map and unmap a single node simultaneously.

Memory corruption when user provides data for FM HCI command control operations.

Transient DOS while processing TIM IE from beacon frame as there is no check for IE length.

Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper.

Memory corruption when BTFM client sends new messages over Slimbus to ADSP.

Transient DOS while handling PS event when Program Service name length offset value is set to 255.

Memory corruption when Alternative Frequency offset value is set to 255.

Memory corruption can occur if VBOs hold outdated or invalid GPU SMMU mappings, especially when the binding and reclaiming of memory buffers are performed at the same time.

Memory corruption as fence object may still be accessed in timeline destruct after isync fence is released.

Memory corruption can occur when arbitrary user-space app gains kernel level privilege to modify DDR memory by corrupting the GPU page table.

Memory corruption while creating a fence to wait on timeline events, and simultaneously signal timeline events.

Memory corruption while allocating memory in HGSL driver.