Memory corruption when two threads try to map and unmap a single node simultaneously.

Memory corruption when user provides data for FM HCI command control operations.

Transient DOS while processing TIM IE from beacon frame as there is no check for IE length.

Transient DOS while handling PS event when Program Service name length offset value is set to 255.

Memory corruption when Alternative Frequency offset value is set to 255.

Memory corruption can occur when arbitrary user-space app gains kernel level privilege to modify DDR memory by corrupting the GPU page table.

Transient DOS while parsing ESP IE from beacon/probe response frame.

Transient DOS while importing a PKCS#8-encoded RSA key with zero bytes modulus.

Memory corruption during session sign renewal request calls in HLOS.

Memory corruption when preparing a shared memory notification for a memparcel in Resource Manager.

Memory corruption when allocating and accessing an entry in an SMEM partition.

Memory corruption when an invoke call and a TEE call are bound for the same trusted application.

Memory corruption while processing key blob passed by the user.

Transient DOS while loading the TA ELF file.

Memory corruption while performing finish HMAC operation when context is freed by keymaster.

Memory corruption while copying a keyblob`s material when the key material`s size is not accurately checked.

Memory corruption in TZ Secure OS while Tunnel Invoke Manager initialization.

Memory corruption when the payload received from firmware is not as per the expected protocol size.

Memory corruption in HLOS while checking for the storage type.

Memory corruption while loading a VM from a signed VM image that is not coherent in the processor cache.