Memory corruption when invalid input is passed to invoke GPU Headroom API call.

Transient DOS while parsing the ML IE when a beacon with common info length of the ML IE greater than the ML IE inside which this element is present.

Memory corruption when allocating and accessing an entry in an SMEM partition continuously.

Memory corruption while Configuring the SMR/S2CR register in Bypass mode.

Possible out of bound access in audio module due to lack of validation of user provided input.

Memory corruption during GNSS HAL process initialization.

Memory corruption while processing GPU page table switch.

Memory corruption while processing voice packet with arbitrary data received from ADSP.

Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node.

Memory corruption while handling session errors from firmware.

Transient DOS while parsing fragments of MBSSID IE from beacon frame.

Memory corruption while maintaining memory maps of HLOS memory.

Memory corruption while unmapping the fastrpc map when two threads can free the same map in concurrent scenario.

Memory corruption when two threads try to map and unmap a single node simultaneously.

Transient DOS while parsing the multi-link element Control field when common information length check is missing before updating the location.

Memory corruption when user provides data for FM HCI command control operations.

Transient DOS while processing TIM IE from beacon frame as there is no check for IE length.

Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper.

Transient DOS while parsing the received TID-to-link mapping element of beacon/probe response frame.

Memory corruption when BTFM client sends new messages over Slimbus to ADSP.