Information disclosure when VI calibration state set by ADSP is greater than MAX_FBSP_STATE in the response payload to AFE calibration command.

Transient DOS while processing DL NAS TRANSPORT message with payload length 0.

Transient DOS while processing SMS container of non-standard size received in DL NAS transport in NR.

Memory corruption while processing finish_sign command to pass a rsp buffer.

Memory corruption in SPS Application while requesting for public key in sorter TA.

Memory corruption while processing TPC target power table in FTM TPC.

Transient DOS while processing an improperly formatted 802.11az Fine Time Measurement protocol frame.

Transient DOS while processing PDU Release command with a parameter PDU ID out of range.

Transient DOS while processing DL NAS Transport message, as specified in 3GPP 24.501 v16.

Transient DOS while processing multiple payload container type with incorrect container length received in DL NAS transport OTA in NR.

Transient DOS while processing channel information for speaker protection v2 module in ADSP.

Transient DOS while processing multiple IKEV2 Informational Request to device from IPSEC server with different identifiers.

Memory corruption in Audio while processing RT proxy port register driver.

Memory corruption in Core Services while executing the command for removing a single event listener.

Transient DOS while parse fils IE with length equal to 1.

Transient DOS in WLAN Firmware when the length of received beacon is less than length of ieee802.11 beacon frame.

Transient DOS while processing 11AZ RTT management action frame received through OTA.

Transient DOS while key unwrapping process, when the given encrypted key is empty or NULL.

Memory corruption while processing the event ring, the context read pointer is untrusted to HLOS and when it is passed with arbitrary values, may point to address in the middle of ring element.

Memory corruption in HLOS while converting from authorization token to HIDL vector.