Memory corruption while processing voice packet with arbitrary data received from ADSP.

Memory corruption while handling session errors from firmware.

Cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions.

Memory corruption while processing input parameters for any IOCTL call in the JPEG Encoder driver.

Memory corruption while handling IOCTL calls in JPEG Encoder driver.

Memory corruption when the user application modifies the same shared memory asynchronously when kernel is accessing it.

Memory corruption while maintaining memory maps of HLOS memory.

Transient DOS when transmission of management frame sent by host is not successful and error status is received in the host.

Memory corruption while taking snapshot when an offset variable is set by camera driver.

Memory corruption when invalid length is provided from HLOS for FRS/UDS request/response buffers.

Memory corruption when two threads try to map and unmap a single node simultaneously.

Memory corruption when user provides data for FM HCI command control operations.

Transient DOS while processing TIM IE from beacon frame as there is no check for IE length.

Transient DOS while parsing the received TID-to-link mapping element of beacon/probe response frame.

Transient DOS while handling PS event when Program Service name length offset value is set to 255.

Memory corruption when Alternative Frequency offset value is set to 255.

Transient DOS while parsing the BSS parameter change count or MLD capabilities fields of the ML IE.

Transient DOS while parsing the ML IE when a beacon with length field inside the common info of ML IE greater than the ML IE length.

Memory corruption while creating a fence to wait on timeline events, and simultaneously signal timeline events.

Transient DOS while processing TID-to-link mapping IE elements.