| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-11893 |
119 |
|
Overflow |
2018-09-19 |
2018-11-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing vendor scan request, when input argument - length of request IEs is greater than maximum can lead to a buffer overflow. |
|
2 |
CVE-2018-11832 |
20 |
|
Overflow |
2018-09-18 |
2018-11-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of input size validation before copying to buffer in PMIC function can lead to heap overflow. |
|
3 |
CVE-2018-11818 |
416 |
|
|
2018-09-18 |
2018-11-09 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, LUT configuration is passed down to driver from userspace via ioctl. Simultaneous update from userspace while kernel drivers are updating LUT registers can lead to race condition. |
|
4 |
CVE-2018-11304 |
190 |
|
Overflow |
2018-07-06 |
2018-09-07 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Possible buffer overflow in msm_adsp_stream_callback_put due to lack of input validation of user-provided data that leads to integer overflow in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel. |
|
5 |
CVE-2018-11302 |
20 |
|
Overflow |
2018-09-18 |
2018-11-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check of input received from userspace before copying into buffer can lead to potential array overflow in WLAN. |
|
6 |
CVE-2018-11301 |
191 |
|
Overflow |
2018-09-18 |
2018-11-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check on buffer length while processing debug log event from firmware can lead to an integer overflow. |
|
7 |
CVE-2018-11300 |
416 |
|
|
2018-09-18 |
2018-11-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, callback executed from the other thread has freed memory which is also used in wlan function and may result in to a "Use after free" scenario. |
|
8 |
CVE-2018-11298 |
119 |
|
Overflow |
2018-09-18 |
2018-11-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing SET_PASSPOINT_LIST vendor command HDD does not make sure that the realm string that gets passed by upper-layer is NULL terminated. This may lead to buffer overflow as strlen is used to get realm string length to construct the PASSPOINT WMA command. |
|
9 |
CVE-2018-11286 |
416 |
|
|
2018-09-18 |
2018-11-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while accessing global variable "debug_client" in multi-thread manner, Use after free issue occurs |
|
10 |
CVE-2018-11280 |
20 |
|
|
2018-09-18 |
2018-11-09 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing user-space there is no size validation of the NAT entry input. If the user input size of the NAT entry is greater than the max allowed size, memory exhaustion will occur. |
|
11 |
CVE-2018-11276 |
415 |
|
|
2018-09-18 |
2018-11-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, double free of memory allocation is possible in Kernel when it explicitly tries to free that memory on driver probe failure, since memory allocated is automatically freed on probe. |
|
12 |
CVE-2018-11275 |
200 |
|
+Info |
2018-09-18 |
2018-11-09 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, when flashing image using FastbootLib if size is not divisible by block size, information leak occurs. |
|
13 |
CVE-2018-11273 |
415 |
|
|
2018-09-18 |
2018-11-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, 'voice_svc_dev' is allocated as a device-managed resource. If error 'cdev_alloc_err' occurs, 'device_destroy' will free all associated resources, including 'voice_svc_dev' leading to a double free. |
|
14 |
CVE-2018-11270 |
415 |
|
Mem. Corr. |
2018-09-18 |
2018-11-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, memory allocated with devm_kzalloc is automatically released by the kernel if the probe function fails with an error code. This may result in data corruption. |
|
15 |
CVE-2018-11265 |
119 |
|
Overflow |
2018-09-18 |
2018-11-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, possible buffer overflow while incrementing the log_buf of type uint64_t in memcpy function, since the log_buf pointer can access the memory beyond the size to store the data after pointer increment. |
|
16 |
CVE-2018-9511 |
254 |
|
DoS |
2018-10-02 |
2018-11-20 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
In ipSecSetEncapSocketOwner of XfrmController.cpp, there is a possible failure to initialize a security feature due to uninitialized data. This could lead to local denial of service of IPsec on sockets with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-9.0 Android ID: A-111650288 |
|
17 |
CVE-2018-9499 |
200 |
|
+Info |
2018-10-02 |
2018-11-20 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
In readVector of iCrypto.cpp, there is a possible invalid read due to uninitialized data. This could lead to local information disclosure from the DRM server with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0 Android ID: A-79218474 |
|
18 |
CVE-2018-5907 |
20 |
|
Overflow |
2018-07-06 |
2018-08-29 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Possible buffer overflow in msm_adsp_stream_callback_put due to lack of input validation of user-provided data that leads to integer overflow in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel. |
|
19 |
CVE-2018-5905 |
119 |
|
Overflow |
2018-09-19 |
2018-11-08 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a race condition while accessing num of clients in DIAG services can lead to out of boundary access. |
|
20 |
CVE-2018-5899 |
416 |
|
|
2018-07-06 |
2018-08-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, whenever TDLS connection is setup, we are freeing the netbuf in ol_tx_completion_handler and after that, we are accessing it in NBUF_UPDATE_TX_PKT_COUNT causing a use after free. |
|
21 |
CVE-2018-5898 |
190 |
|
Overflow |
2018-07-06 |
2018-08-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow can occur in msm_pcm_adsp_stream_cmd_put() function if the user supplied data "param_length" goes beyond certain limit in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. |
|
22 |
CVE-2018-5893 |
119 |
|
Overflow |
2018-07-06 |
2018-08-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
While processing a message from firmware in htt_t2h_msg_handler_fast() in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, a buffer overwrite can occur. |
|
23 |
CVE-2018-5890 |
264 |
|
Bypass |
2018-07-06 |
2018-08-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
If the fdt_totalsize is reported as 0 for the current device tree, it bypasses an error check for a valid device tree in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. |
|
24 |
CVE-2018-5889 |
119 |
|
Overflow |
2018-07-06 |
2018-08-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
While processing a compressed kernel image, a buffer overflow can occur in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. |
|
25 |
CVE-2018-5888 |
125 |
|
|
2018-07-06 |
2018-08-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
While processing the system path, an out of bounds access can occur in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. |
|
26 |
CVE-2018-5887 |
125 |
|
|
2018-07-06 |
2018-08-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
While processing the USB StrSerialDescriptor array, an array index out of bounds can occur in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. |
|
27 |
CVE-2018-5863 |
119 |
|
Overflow |
2018-06-15 |
2018-08-06 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
If userspace provides a too-large WPA RSN IE length in wlan_hdd_cfg80211_set_ie(), a buffer overflow occurs in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel. |
|
28 |
CVE-2018-5862 |
119 |
|
Overflow |
2018-07-06 |
2018-09-04 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In __wlan_hdd_cfg80211_vendor_scan() in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05, when SCAN_SSIDS and QCA_WLAN_VENDOR_ATTR_SCAN_FREQUENCIES are parsed, a buffer overwrite can potentially occur. |
|
29 |
CVE-2018-5860 |
824 |
|
|
2018-06-15 |
2018-08-06 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
In the MDSS driver in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel, a data structure may be used without being initialized correctly. |
|
30 |
CVE-2018-5859 |
416 |
|
|
2018-07-06 |
2018-08-27 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Due to a race condition in the MDSS MDP driver in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05, a Use After Free condition can occur. |
|
31 |
CVE-2018-5858 |
119 |
|
Overflow |
2018-07-06 |
2018-08-29 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In the audio debugfs in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05, out of bounds access can occur. |
|
32 |
CVE-2018-5857 |
416 |
|
|
2018-06-15 |
2018-08-06 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In the WCD CPE codec, a Use After Free condition can occur in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel. |
|
33 |
CVE-2018-5854 |
119 |
|
Overflow |
2018-06-15 |
2018-08-06 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A stack-based buffer overflow can occur in fastboot from all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel. |
|
34 |
CVE-2018-5853 |
416 |
|
|
2018-07-06 |
2018-08-29 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A race condition exists in a driver in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-05-05 potentially leading to a use-after-free condition. |
|
35 |
CVE-2018-5851 |
129 |
|
|
2018-06-12 |
2018-08-03 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer over flow can occur while processing a HTT_T2H_MSG_TYPE_TX_COMPL_IND message with an out-of-range num_msdus value in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. |
|
36 |
CVE-2018-5849 |
416 |
|
|
2018-06-12 |
2018-08-03 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Due to a race condition in the QTEECOM driver in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, when more than one HLOS client loads the same TA, a Use After Free condition can occur. |
|
37 |
CVE-2018-5848 |
190 |
|
Overflow |
2018-06-12 |
2018-10-31 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. |
|
38 |
CVE-2018-5847 |
416 |
|
|
2018-06-12 |
2018-08-03 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Early or late retirement of rotation requests can result in a Use After Free condition in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. |
|
39 |
CVE-2018-5844 |
416 |
|
|
2018-06-12 |
2018-08-03 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In the video driver function set_output_buffers(), binfo can be accessed after being freed in a failure scenario in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. |
|
40 |
CVE-2018-5843 |
119 |
|
Overflow |
2018-06-12 |
2018-08-03 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In the function wma_pdev_div_info_evt_handler() in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, there is no upper bound check on the value event->num_chains_valid received from firmware which can lead to a buffer overwrite of the fixed size chain_rssi_result structure. |
|
41 |
CVE-2018-5842 |
119 |
|
Overflow |
2018-06-12 |
2018-08-03 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An arbitrary address write can occur if a compromised WLAN firmware sends incorrect data to WLAN driver in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. |
|
42 |
CVE-2018-5834 |
119 |
|
Overflow |
2018-07-06 |
2018-09-04 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05. |
|
43 |
CVE-2018-5832 |
416 |
|
|
2018-07-06 |
2018-09-04 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Due to a race condition in a camera driver ioctl handler in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, a Use After Free condition can occur. |
|
44 |
CVE-2018-5828 |
119 |
|
Overflow |
2018-04-03 |
2018-05-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, in function wma_extscan_start_stop_event_handler(), vdev_id comes from the variable event from firmware and is not properly validated potentially leading to a buffer overwrite. |
|
45 |
CVE-2018-5827 |
119 |
|
Overflow |
2018-05-17 |
2018-06-19 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event. |
|
46 |
CVE-2018-5826 |
416 |
|
|
2018-04-03 |
2018-05-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, due to a race condition, a Use After Free condition can occur in the WLAN driver. |
|
47 |
CVE-2018-5825 |
416 |
|
|
2018-04-03 |
2018-05-11 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, in the kernel IPA driver, a Use After Free condition can occur. |
|
48 |
CVE-2018-5824 |
119 |
|
Overflow |
2018-04-03 |
2018-05-11 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, while processing HTT_T2H_MSG_TYPE_RX_FLUSH or HTT_T2H_MSG_TYPE_RX_PN_IND messages, a buffer overflow can occur if the tid value obtained from the firmware is out of range. |
|
49 |
CVE-2018-5823 |
119 |
|
Overflow |
2018-04-03 |
2018-05-11 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, improper buffer length validation in extscan hotlist event can lead to potential buffer overflow. |
|
50 |
CVE-2018-5383 |
310 |
|
|
2018-08-07 |
2018-10-18 |
4.3 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
None |
|
Bluetooth firmware or operating system software drivers in macOS versions before 10.13, High Sierra and iOS versions before 11.4, and Android versions before the 2018-06-05 patch may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device. |
