Qualcomm : Security Vulnerabilities, CVEs, CVSS score between 7 and 7.99

Transient DOS while parse fils IE with length equal to 1.

Transient DOS in WLAN Firmware when the length of received beacon is less than length of ieee802.11 beacon frame.

Transient DOS while processing 11AZ RTT management action frame received through OTA.

Transient DOS while key unwrapping process, when the given encrypted key is empty or NULL.

Memory corruption when malformed message payload is received from firmware.

Memory corruption while processing the event ring, the context read pointer is untrusted to HLOS and when it is passed with arbitrary values, may point to address in the middle of ring element.

Transient DOS while parsing GATT service data when the total amount of memory that is required by the multiple services is greater than the actual size of the services buffer.

Transient DOS while parsing IPv6 extension header when WLAN firmware receives an IPv6 packet that contains `IPPROTO_NONE` as the next header.

Memory corruption in Audio when memory map command is executed consecutively in ADSP.

Memory corruption while processing Listen Sound Model client payload buffer when there is a request for Listen Sound session get parameter from ST HAL.

Memory corruption when HLOS allocates the response payload buffer to copy the data received from ADSP in response to AVCS_LOAD_MODULE command.

Transient DOS while parsing ieee80211_parse_mscs_ie in WIN WLAN driver.

Transient DOS when WLAN firmware receives "reassoc response" frame including RIC_DATA element.

The session index variable in PCM host voice audio driver initialized before PCM open, accessed during event callback from ADSP and reset during PCM close may lead to race condition between event callback - PCM close and reset session index causing memory corruption.

Transient DOS while processing a WMI P2P listen start command (0xD00A) sent from host.

Transient DOS while parsing WPA IES, when it is passed with length more than expected size.

Transient DOS in WLAN Firmware while processing a FTMR frame.

Transient DOS when processing a NULL buffer while parsing WLAN vdev.

Memory corruption in Core while processing RX intent request.

Memory corruption in wearables while processing data from AON.

Transient DOS while converting TWT (Target Wake Time) frame parameters in the OTA broadcast.

Transient DOS while parsing a vender specific IE (Information Element) of reassociation response management frame.

Memory corruption in Audio while running invalid audio recording from ADSP.

Memory corruption in HLOS while converting from authorization token to HIDL vector.

Memory corruption in Core when updating rollback version for TA and OTA feature is enabled.