| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
551 |
CVE-2017-9693 |
119 |
|
Overflow |
2018-03-30 |
2018-04-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The length of attribute value for STA_EXT_CAPABILITY in __wlan_hdd_change_station in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-06-06 being less than the actual lenth of StaParams.extn_capability results in a read for extra bytes when a memcpy is done from params->ext_capab to StaParams.extn_capability using the sizeof(StaParams.extn_capability). |
|
552 |
CVE-2017-9692 |
476 |
|
|
2018-03-30 |
2018-04-23 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
When an atomic commit is issued on a writeback panel with a NULL output_layer parameter in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-06-03, a NULL pointer dereference may potentially occur. |
|
553 |
CVE-2017-9691 |
362 |
|
|
2018-03-30 |
2018-04-23 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
There is a race condition in Android for MSM, Firefox OS for MSM, and QRD Android that allows to access to already free'd memory in the debug message output functionality contained within the mobicore driver. |
|
554 |
CVE-2017-9690 |
119 |
|
Overflow |
2017-11-16 |
2017-11-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in a qbt1000 ioctl handler, an incorrect buffer size check has an integer overflow vulnerability potentially leading to a buffer overflow. |
|
555 |
CVE-2017-9689 |
119 |
|
Overflow Mem. Corr. |
2018-01-10 |
2018-01-26 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a specially-crafted HDMI CEC message can be used to cause stack memory corruption. |
|
556 |
CVE-2017-9687 |
415 |
|
|
2017-10-10 |
2017-10-19 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, two concurrent threads/processes can write the value of "0" to the debugfs file that controls ipa ipc log which will lead to the double-free in ipc_log_context_destroy(). Another issue is the Use-After-Free which can happen due to the race condition when the ipc log is deallocated via the debugfs call during a log print. |
|
557 |
CVE-2017-9686 |
415 |
|
|
2017-10-10 |
2017-10-19 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a possible double free/use after free in the SPS driver when debugfs logging is used. |
|
558 |
CVE-2017-9685 |
416 |
|
|
2017-08-18 |
2017-08-26 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition in a WLAN driver can lead to a Use After Free condition. |
|
559 |
CVE-2017-9684 |
416 |
|
|
2017-08-18 |
2017-08-21 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition in a USB driver can lead to a Use After Free condition. |
|
560 |
CVE-2017-9683 |
190 |
|
Overflow |
2017-10-10 |
2017-10-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while flashing a meta image, an integer overflow can occur, if user-defined image offset and size values are too large. |
|
561 |
CVE-2017-9682 |
362 |
|
|
2017-08-18 |
2017-08-21 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition in two KGSL driver functions can lead to a Use After Free condition. |
|
562 |
CVE-2017-9681 |
200 |
|
+Info |
2018-03-30 |
2018-04-20 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
In Android before 2017-08-05 on Qualcomm MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel, if kernel memory address is passed from userspace through iris_vidioc_s_ext_ctrls ioctl, it will print kernel address data. A user could set it to an arbitrary kernel address, hence information disclosure (for kernel) could occur. |
|
563 |
CVE-2017-9680 |
200 |
|
+Info |
2017-08-18 |
2017-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, if a pointer argument coming from userspace is invalid, a driver may use an uninitialized structure to log an error message. |
|
564 |
CVE-2017-9679 |
200 |
|
+Info |
2017-08-18 |
2017-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, if a userspace string is not NULL-terminated, kernel memory contents can leak to system logs. |
|
565 |
CVE-2017-9678 |
119 |
|
Overflow Mem. Corr. |
2017-08-18 |
2017-08-21 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, in a video driver, memory corruption can potentially occur due to lack of bounds checking in a memcpy(). |
|
566 |
CVE-2017-9677 |
264 |
|
Overflow |
2017-09-21 |
2017-09-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, in function msm_compr_ioctl_shared, variable "ddp->params_length" could be accessed and modified by multiple threads, while it is not protected with locks. If one thread is running, while another thread is setting data, race conditions will happen. If "ddp->params_length" is set to a big number, a buffer overflow will occur. |
|
567 |
CVE-2017-9676 |
416 |
|
|
2017-09-21 |
2017-09-26 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, potential use after free scenarios and race conditions can occur when accessing global static variables without using a lock. |
|
568 |
CVE-2017-8281 |
362 |
|
|
2017-09-21 |
2017-12-05 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition can allow access to already freed memory while querying event status via DCI. |
|
569 |
CVE-2017-8280 |
119 |
|
Overflow |
2017-09-21 |
2017-09-26 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, during the wlan calibration data store and retrieve operation, there are some potential race conditions which lead to a memory leak and a buffer overflow during the context switch. |
|
570 |
CVE-2017-8279 |
200 |
|
+Info |
2017-11-16 |
2017-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, missing race condition protection while updating msg mask table can lead to buffer over-read. Also access to freed memory can happen while updating msg_mask information. |
|
571 |
CVE-2017-8278 |
264 |
|
Overflow |
2017-09-21 |
2017-09-26 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, while reading audio data from an unspecified driver, a buffer overflow or integer overflow could occur. |
|
572 |
CVE-2017-8277 |
264 |
|
|
2017-09-21 |
2017-09-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, in the function msm_dba_register_client, if the client registers failed, it would be freed. However the client was not removed from list. Use-after-free would occur when traversing the list next time. |
|
573 |
CVE-2017-8273 |
119 |
|
Overflow |
2017-08-11 |
2017-08-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android release from CAF using the Linux kernel, while processing fastboot boot command when verified boot feature is disabled, with length greater than boot image buffer, a buffer overflow can occur. |
|
574 |
CVE-2017-8272 |
787 |
|
|
2017-08-18 |
2017-08-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, in a driver function, a value from userspace is not properly validated potentially leading to an out of bounds heap write. |
|
575 |
CVE-2017-8271 |
787 |
|
|
2017-08-11 |
2017-08-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Out of bound memory write can happen in the MDSS Rotator driver in all Qualcomm products with Android releases from CAF using the Linux kernel by an unsanitized userspace-controlled parameter. |
|
576 |
CVE-2017-8270 |
416 |
|
|
2017-08-18 |
2017-08-22 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition exists in a driver potentially leading to a use-after-free condition. |
|
577 |
CVE-2017-8269 |
200 |
|
+Info |
2017-08-11 |
2018-04-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Userspace-controlled non null terminated parameter for IPA WAN ioctl in all Qualcomm products with Android releases from CAF using the Linux kernel can lead to exposure of kernel memory. |
|
578 |
CVE-2017-8268 |
119 |
|
Overflow |
2017-08-18 |
2017-08-22 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, the camera application can possibly request frame/command buffer processing with invalid values leading to the driver performing a heap buffer over-read. |
|
579 |
CVE-2017-8267 |
190 |
|
Overflow |
2017-08-18 |
2017-08-22 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition exists in an IOCTL handler potentially leading to an integer overflow and then an out-of-bounds write. |
|
580 |
CVE-2017-8266 |
416 |
|
|
2017-08-18 |
2017-08-22 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition exists in a video driver potentially leading to a use-after-free condition. |
|
581 |
CVE-2017-8265 |
415 |
|
|
2017-08-18 |
2017-08-22 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition exists in a video driver which can lead to a double free. |
|
582 |
CVE-2017-8264 |
264 |
|
DoS |
2017-08-11 |
2017-08-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A userspace process can cause a Denial of Service in the camera driver in all Qualcomm products with Android releases from CAF using the Linux kernel. |
|
583 |
CVE-2017-8263 |
19 |
|
|
2017-08-18 |
2017-08-22 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, a kernel fault can occur when doing certain operations on a read-only virtual address in userspace. |
|
584 |
CVE-2017-8262 |
416 |
|
|
2017-08-18 |
2017-08-23 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, in some memory allocation and free functions, a race condition can potentially occur leading to a Use After Free condition. |
|
585 |
CVE-2017-8261 |
264 |
|
|
2017-08-18 |
2017-08-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, in a camera driver ioctl, a kernel overwrite can potentially occur. |
|
586 |
CVE-2017-8260 |
787 |
|
|
2017-08-18 |
2018-03-06 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, due to a type downcast, a value may improperly pass validation and cause an out of bounds write later. |
|
587 |
CVE-2017-8259 |
119 |
|
Overflow |
2017-08-11 |
2017-08-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In the service locator in all Qualcomm products with Android releases from CAF using the Linux kernel, a buffer overflow can occur as the variable set for determining the size of the buffer is not used to indicate the size of the buffer. |
|
588 |
CVE-2017-8258 |
125 |
|
|
2017-08-11 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
An array out-of-bounds access in all Qualcomm products with Android releases from CAF using the Linux kernel can potentially occur in a camera driver. |
|
589 |
CVE-2017-8257 |
264 |
|
|
2017-08-18 |
2017-08-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, when accessing the sde_rotator debug interface for register reading with multiple processes, one process can free the debug buffer while another process still has the debug buffer in use. |
|
590 |
CVE-2017-8256 |
264 |
|
|
2017-08-18 |
2017-08-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, array out of bounds access can occur if userspace sends more than 16 multicast addresses. |
|
591 |
CVE-2017-8255 |
190 |
|
Overflow |
2017-08-18 |
2017-08-23 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, an integer overflow vulnerability exists in boot. |
|
592 |
CVE-2017-8254 |
200 |
|
+Info |
2017-08-18 |
2017-08-23 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, an audio client pointer is dereferenced before being checked if it is valid. |
|
593 |
CVE-2017-8253 |
264 |
|
|
2017-08-18 |
2017-08-23 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, kernel memory can potentially be overwritten if an invalid master is sent from userspace. |
|
594 |
CVE-2017-8251 |
264 |
|
Overflow |
2017-09-21 |
2017-09-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, in functions msm_isp_check_stream_cfg_cmd & msm_isp_stats_update_cgc_override, 'stream_cfg_cmd->num_streams' is not checked, and could overflow the array stream_cfg_cmd->stream_handle. |
|
595 |
CVE-2017-8250 |
264 |
|
Overflow |
2017-09-21 |
2017-09-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, user controlled variables "nr_cmds" and "nr_bos" number are passed across functions without any check. An integer overflow to buffer overflow (with a smaller buffer allocated) may occur when they are too large or negative. |
|
596 |
CVE-2017-8247 |
264 |
|
|
2017-09-21 |
2017-09-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all Qualcomm products with Android releases from CAF using the Linux kernel, if there is more than one thread doing the device open operation, the device may be opened more than once. This would lead to get_pid being called more than once, however put_pid being called only once in function "msm_close". |
|
597 |
CVE-2017-8243 |
119 |
|
Overflow |
2017-08-16 |
2017-08-20 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A buffer overflow can occur in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android when processing a firmware image file. |
|
598 |
CVE-2017-8242 |
362 |
|
|
2017-06-13 |
2017-07-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In all Android releases from CAF using the Linux kernel, a race condition exists in a QTEE driver potentially leading to an arbitrary memory write. |
|
599 |
CVE-2017-8241 |
119 |
|
Overflow |
2017-06-13 |
2017-07-07 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
In all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in a WLAN function due to an incorrect message length. |
|
600 |
CVE-2017-8240 |
119 |
|
Overflow |
2017-06-13 |
2017-07-07 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
In all Android releases from CAF using the Linux kernel, a kernel driver has an off-by-one buffer over-read vulnerability. |
