April 2020

April 2020 Security Bulletin

Version 1.0

Published: 04/06/2020

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices..

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Table of Contents

Announcements:
Acknowledgements:
Proprietary Software Issues:
Open Source Software Issues:
Industry Coordination:
Version History:

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2019-14131 aedla
CVE-2020-3650, CVE-2020-3652, CVE-2020-3653 Haikuo Xie and Ying Wang of Baidu Security Lab
CVE-2019-14009 Arash Tohidi
CVE-2019-14018, CVE-2019-14021 Peter Park(peterpark)
CVE-2020-3651, CVE-2019-10547, CVE-2019-10625 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2019-10556 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2019-10574 Slava Makkaveev slavam@checkpoint.com
CVE-2019-10620 Jianqiang Zhao (jianqiangzhao)
CVE-2019-10623, CVE-2019-10624 D.2.Y.P (d2yp_)

Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID Security Rating Technology Area Date Reported
CVE-2019-10575 Critical Core Internal
CVE-2019-10588 Critical Data Modem Internal
CVE-2019-10609 Critical Data Modem Internal
CVE-2019-14110 Critical WLAN Firmware Internal
CVE-2019-14111 Critical WLAN Firmware Internal
CVE-2019-14112 Critical WLAN Firmware Internal
CVE-2019-14113 Critical WLAN Firmware Internal
CVE-2019-14114 Critical WLAN Firmware Internal
CVE-2020-3650 Critical WLAN Windows Host 12/28/2019
CVE-2019-10483 High Core, QWES Internal
CVE-2019-10551 High Data Modem Internal
CVE-2019-10589 High QTEE Internal
CVE-2019-10608 High Content Protection Internal
CVE-2019-10610 High Data Modem Internal
CVE-2019-14001 High HLOS Internal
CVE-2019-14007 High Content Protection Internal
CVE-2019-14009 High NFC 05/21/2019
CVE-2019-14011 High Multi-Mode Call Processor Internal
CVE-2019-14012 High Data Modem Internal
CVE-2019-14018 High WCDMA 07/08/2019
CVE-2019-14019 High Multi-Mode Call Processor Internal
CVE-2019-14020 High Multi-Mode Call Processor Internal
CVE-2019-14021 High GPS 07/08/2019
CVE-2019-14022 High Data Modem Internal
CVE-2019-14033 High Multi-Mode Call Processor Internal
CVE-2019-14075 High RIL Internal
CVE-2019-14105 High Camera Driver Internal
CVE-2019-14116 High WIN TZ FW Internal
CVE-2019-14127 High Video Internal
CVE-2019-14134 High WLAN Firmware Internal
CVE-2019-14135 High WLAN Firmware Internal
CVE-2020-3652 High WLAN Windows Host 12/28/2019
CVE-2020-3653 High WLAN Windows Host 12/28/2019





This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

 

Public ID Security Rating Technology Area Date Reported
CVE-2019-10523 Medium Telephony 03/21/2019
CVE-2019-10574 Medium HLOS 03/07/2019

CVE-2019-10575

CVE ID CVE-2019-10575
Title Improper Authentication Issue in WLAN
Description Wlan binary which is not signed with OEM’s RoT is working on secure device without authentication failure
Technology Area Core
Vulnerability Type CWE-287 Improper Authentication
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* SDA845, SDM845, SDM850

CVE-2019-10588

CVE ID CVE-2019-10588
Title Buffer Copy Without Checking Size of Input in Data Modem
Description Copying RTCP messages into the output buffer without checking the destination buffer size which could lead to a remote stack overflow.
Technology Area Data Modem
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10609

CVE ID CVE-2019-10609
Title Improper Validation of Array Index in Modem Data
Description Out of bound write can happen due to lack of check of array index value while calculating it.
Technology Area Data Modem
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14110

CVE ID CVE-2019-14110
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overflow can occur in function wlan firmware while copying association frame content if frame length is more than the maximum buffer size in case of SAP mode
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14111

CVE ID CVE-2019-14111
Title Possible Buffer Overflow Issue in WLAN
Description Possible buffer overflow while handling NAN reception of NMF
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* IPQ6018, IPQ8074, Nicobar, QCA6390, QCA8081, QCN7605, QCS404, QCS405, Rennell, SC7180, SC8180X, SM6150, SM7150, SM8150, SXR2130

CVE-2019-14112

CVE ID CVE-2019-14112
Title Buffer Copy Without Checking Size of Input in WLAN
Description Potential buffer overflow while processing CBF frames due to lack of check of buffer length before copy
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8098, IPQ6018, IPQ8074, MSM8998, Nicobar, QCA8081, QCN7605, QCS404, QCS605, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14113

CVE ID CVE-2019-14113
Title Integer Overflow to Buffer Overflow Issue in WLAN
Description Buffer overflow can occur in In WLAN firmware while unwraping data using CCMP cipher suite during parsing of EAPOL handshake frame
Technology Area WLAN Firmware
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14114

CVE ID CVE-2019-14114
Title Integer Overflow to Buffer Overflow Issue in WLAN
Description Buffer overflow in WLAN firmware while parsing GTK IE containing GTK key having length more than the buffer size
Technology Area WLAN Firmware
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2020-3650

CVE ID CVE-2020-3650
Title Buffer Copy Without Checking Size of Input in WLAN
Description Possible buffer overflow issues in IEEE80211 driver while processing IE entered by the user due to improper length check of data received.
Technology Area WLAN Windows Host
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported 12/28/2019
Customer Notified Date 02/11/2020
Affected Chipsets*  

CVE-2019-10483

CVE ID CVE-2019-10483
Title Information Exposure issue in QTEE
Description Side channel issue in QTEE due to usage of non-time-constant comparison function such as memcmp or strcmp
Technology Area Core, QWES
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8016, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCA8081, QCS404, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-10551

CVE ID CVE-2019-10551
Title String Errors in Modem Data
Description String error while processing non standard SIP messages received can lead to buffer overread and then denial of service
Technology Area Data Modem
Vulnerability Type CWE-133 String Errors
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10589

CVE ID CVE-2019-10589
Title Buffer Copy Without Checking Size of Input in QTEE
Description Lack of length check of response buffer can lead to buffer over-flow while GP command response buffer handling
Technology Area QTEE
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8017, APQ8053, APQ8098, MDM9206, MDM9607, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, QM215, SDA660, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660

CVE-2019-10608

CVE ID CVE-2019-10608
Title Information Exposure Issue in Content Protection
Description Information disclosure issue occurs as there is no binding between the secure keypad session and the secure display session that allows user to take control of the REE to stop the secure keypad session and read the keypad input.
Technology Area Content Protection
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, MSM8905, MSM8909

CVE-2019-10610

CVE ID CVE-2019-10610
Title Buffer Over-read in Modem Data
Description Possible buffer over read when trying to process SDP message Video media line with frame-size attribute in video Media line
Technology Area Data Modem
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14001

CVE ID CVE-2019-14001
Title Cryptographic Issue in HLOS
Description Wrong public key usage from existing oem_keystore for hash generation
Technology Area HLOS
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, QM215, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDX20

CVE-2019-14007

CVE ID CVE-2019-14007
Title Information Exposure Issue in Content Protection
Description Due to the use of non-time-constant comparison functions there is issue in timing side channels which can be used as a potential side channel for SUI corruption
Technology Area Content Protection
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS404, QCS405, QCS605, QM215, Rennell, SA6155P, SC7180, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14009

CVE ID CVE-2019-14009
Title Use of Out of Range Pointer Offset Issue in Trustzone Application
Description Out of bound memory access while processing TZ command handler due to improper input validation on response length received from user
Technology Area NFC
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating High
Date Reported 05/21/2019
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8098, MDM9150, MDM9607, MDM9650, MSM8905, MSM8909, MSM8998, SDA660, SDA845, SDM630, SDM636, SDM660, SDM845, SDM850, SXR2130

CVE-2019-14011

CVE ID CVE-2019-14011
Title Buffer Over-read Issue in Multi Mode Call Processor
Description Multiple Read overflows issue due to improper length check while decoding 3G attach accept/ SMS/ pdn connection reject/ esm data transport/ bearer modify context reject
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14012

CVE ID CVE-2019-14012
Title Null Pointer Dereference Issue in Modem Data
Description Possibility of null pointer deference as the array of video codecs from media info is referenced without null checking while processing SDP messages
Technology Area Data Modem
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, Nicobar, QCM2150, QM215, Rennell, SC7180, SC8180X, SDA845, SDM429, SDM439, SDM450, SDM632, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150

CVE-2019-14018

CVE ID CVE-2019-14018
Title Improper Validation of Array Index in WCDMA
Description Possible out of bound array access as there is no check on carrier index passed
Technology Area WCDMA
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 07/08/2019
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14019

CVE ID CVE-2019-14019
Title Buffer over-read Issue in Multi Mode Call Processor
Description Multiple Read overflows issue due to improper length check while decoding RAU accept/PDN disconnect Rej/Modify EPS ctxt req/bearer resource alloc Rej/Deact EPs bearer REq
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14020

CVE ID CVE-2019-14020
Title Buffer over-read Issue in Multi Mode Call Processor
Description Multiple Read overflows issue due to improper length check while decoding dedicated_eps_bearer_req/ act_def_context_req/ cs_serv_notification/ emm_info/ guti_realloc_cmd
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14021

CVE ID CVE-2019-14021
Title Buffer Copy Without Checking Size of Input in GPS Subsystem
Description Possible buffer overrun when processing EFS filename and payload sent over diag interface due to lack of check for filename length and payload size received
Technology Area GPS
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported 07/08/2019
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14022

CVE ID CVE-2019-14022
Title Reachable Assertion in Modem Data
Description Error occurs While extracting the ipv6_header having an invalid length due to lack of length check
Technology Area Data Modem
Vulnerability Type CWE-617 Reachable Assertion
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8096AU, MDM9205, MDM9206, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14033

CVE ID CVE-2019-14033
Title Buffer Over-read Issue in Multi Mode Call Processor
Description Multiple Read overflows issue due to improper length check while decoding tau reject/tau accept/detach request/attach reject/attach accept
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14075

CVE ID CVE-2019-14075
Title Null Pointer Dereference Issue in Radio Interface layer
Description Null pointer dereference issue in radio interface layer due to lack of null check in sapmodule destructor
Technology Area RIL
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* MDM9607, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, Nicobar, QCS605, Rennell, Saipan, SDM450, SDM630, SDM636, SDM660, SDM670, SDM710, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2019-14105

CVE ID CVE-2019-14105
Title Stack Based Buffer Overflow in Camera
Description Kernel was reading the CSL defined reserved field as uint16 instead of uint32 which could lead to memory overflow
Technology Area Camera Driver
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* SDA845, SDM845, SM8150

CVE-2019-14116

CVE ID CVE-2019-14116
Title Permissions, Privileges and Access Control Issue in Trustzone
Description Privilege escalation by using an altered debug policy image can occur as the XPU protecting the debug policy regions are disabled during the crash dump boot flow
Technology Area WIN TZ FW
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* IPQ6018

CVE-2019-14127

CVE ID CVE-2019-14127
Title Buffer Copy Without Checking Size of Input in Video
Description Possible buffer overflow while playing mkv clip due to lack of validation of atom size buffer
Technology Area Video
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14134

CVE ID CVE-2019-14134
Title Buffer Over-read Issue in WLAN
Description Possible out of bound access in WLAN handler when the received value of length in rx path is shorter than the expected value of country IE
Technology Area WLAN Firmware
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* IPQ8074, QCA8081, QCS605, SDA845, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14135

CVE ID CVE-2019-14135
Title Buffer Copy Without Checking Size of Input in WLAN
Description Possible integer overflow to buffer overflow in WLAN while parsing nonstandard NAN IE messages.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA4010, QCA6174A, QCA6574AU, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS405, QCS605, SA6155P, Saipan, SDA845, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130

CVE-2020-3652

CVE ID CVE-2020-3652
Title Buffer Over-read Issue in WLAN
Description Possible buffer over-read issue in windows x86 wlan driver function while processing beacon or request frame due to lack of check of length of variable received.
Technology Area WLAN Windows Host
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported 12/28/2019
Customer Notified Date 02/11/2020
Affected Chipsets* MSM8998, QCA6390, SC7180, SC8180X, SDM850

CVE-2020-3653

CVE ID CVE-2020-3653
Title Buffer Over-read Issue in WLAN
Description Possible buffer over-read in windows wlan driver function due to lack of check of length of variable received from userspace
Technology Area WLAN Windows Host
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported 12/28/2019
Customer Notified Date 02/11/2020
Affected Chipsets* MSM8998, QCA6390, SC7180, SC8180X, SDM850

CVE-2019-10523

CVE ID CVE-2019-10523
Title Information Exposure Issue in Telephony
Description Target specific data is being sent to remote server and leads to information exposure
Technology Area Telephony
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 03/21/2019
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCA6574AU, QCS605, Rennell, SDA660, SDM429W, SDM439, SDM450, SDM710, SDM845, SM7150, SM8150, SM8250, SXR2130

CVE-2019-10574

CVE ID CVE-2019-10574
Title Buffer Over-read Issue in HLOS
Description Lack of boundary checks for data offsets received from HLOS can lead to out-of-bound read
Technology Area HLOS
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 03/07/2019
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8016, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCM2150, QCS605, QM215, Rennell, SC7180, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130



* Data is generated only at the time of bulletin creation

Open Source Software Issues

The tables below summarize security vulnerabilities that were addressed through open source software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID Security Rating Technology Area Date Reported
CVE-2019-14131 Critical WLAN HOST 11/12/2019
CVE-2019-14070 High Audio Internal
CVE-2019-14104 High Camera Driver Internal
CVE-2019-14122 High Qualcomm IPC Internal
CVE-2019-14132 High Video Internal
CVE-2020-3651 High WLAN HOST 10/14/2019

This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

Public ID Security Rating Technology Area Date Reported
CVE-2019-10547 Medium Kernel 03/26/2019
CVE-2019-10556 Medium Display 12/21/2018
CVE-2019-10620 Medium Display 12/26/2017
CVE-2019-10621 Medium NPU 07/22/2019
CVE-2019-10622 Medium Audio 07/15/2019
CVE-2019-10623 Medium WLAN HOST 03/04/2019
CVE-2019-10624 Medium WLAN HOST 03/06/2019
CVE-2019-10625 Medium Core Services 06/15/2019

CVE-2019-14131

CVE ID CVE-2019-14131
Title Improper Validation of Array Index in WLAN
Description Out of bound write can occur in radio measurement request if STA receives multiple invalid rrm measurement request from AP
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating Critical
Date Reported 11/12/2019
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8053, APQ8096AU, MSM8998, Nicobar, QCA6574AU, QCS605, Rennell, SA6155P, Saipan, SC8180X, SDM660, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2019-14070

CVE ID CVE-2019-14070
Title Use After Free Issue in Audio
Description Possible use after free issue in pcm volume controls due to race condition exist in private data used in mixer controls
Technology Area Audio
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-14104

CVE ID CVE-2019-14104
Title Buffer Over-read Issue in Camera
Description Slab-out-of-bounds access can occur if the context pointer is invalid due to lack of null check on pointer before accessing it
Technology Area Camera Driver
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8053, SC8180X, SDX55, SM8150
Patch*

CVE-2019-14122

CVE ID CVE-2019-14122
Title Detection of Error Condition without Action in Qualcomm IPC
Description Memory failure in SKB if it fails to to add the requested padding to the skb in low memory targets or targets with major memory fragmentation
Technology Area Qualcomm IPC
Vulnerability Type CWE-390 Detection of Error Condition Without Action
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* Saipan, SM8150, SM8250, SXR2130
Patch*

CVE-2019-14132

CVE ID CVE-2019-14132
Title Reachable Assertion in Video
Description Buffer over-write when this 0-byte buffer is typecasted to some other structure and hence memory corruption
Technology Area Video
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* QCS605, SA6155P, SM8150
Patch*

CVE-2020-3651

CVE ID CVE-2020-3651
Title Reachable Assertion in WLAN
Description Active command timeout since WM status change cmd is not removed from active queue if peer sends multiple deauth frames.
Technology Area WLAN HOST
Vulnerability Type CWE-617 Reachable Assertion
Access Vector Remote
Security Rating High
Date Reported 10/14/2019
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS605, QM215, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8150, SXR1130
Patch*

CVE-2019-10547

CVE ID CVE-2019-10547
Title Uncontrolled Resource Consumption in Kernel
Description When issuing IOCTL calls to ION, Memory leak can occur due to failure in unassign pages under certain conditions
Technology Area Kernel
Vulnerability Type CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Access Vector Local
Security Rating Medium
Date Reported 03/26/2019
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, APQ8098, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8953, MSM8996AU, Nicobar, QCN7605, QCS605, Rennell, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM710, SDX24, SDX55, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2019-10556

CVE ID CVE-2019-10556
Title Buffer Copy Without Checking Size of Input in Display
Description Missing length check before copying the data from kernel space to userspace through the copy function can lead to buffer overflow in some cases
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating Medium
Date Reported 12/21/2018
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, MSM8909W, MSM8917, MSM8953, Nicobar, QCN7605, QCS405, QCS605, QM215, Rennell, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-10620

CVE ID CVE-2019-10620
Title Buffer Copy Without Checking Size of Input in Display
Description Kernel memory error in debug module due to improper check of user data length before copying into memory
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating Medium
Date Reported 12/26/2017
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8096AU, APQ8098, MSM8996AU, QCN7605, SDM439, SDX24, SM8150
Patch*

CVE-2019-10621

CVE ID CVE-2019-10621
Title Use After Free Issue in Neural Processing Unit
Description Use after free issue when MAP and UNMAP calls at same time as data structure used my MAP may be freed by UNMAP function
Technology Area NPU
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 07/22/2019
Customer Notified Date 10/07/2019
Affected Chipsets* Nicobar, QCS405, Rennell, Saipan, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2019-10622

CVE ID CVE-2019-10622
Title Buffer Over-read issue in Audio
Description Out of bound memory access can happen while parsing ADSP message due to lack of check of size of payload received from userspace
Technology Area Audio
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 07/15/2019
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8096AU, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, QCN7605, QCS605, SC8180X, SDM710, SDX24, SDX55, SM8150, SM8250, SXR2130
Patch*

CVE-2019-10623

CVE ID CVE-2019-10623
Title Integer Overflow to Buffer Overflow in WLAN Host
Description Possible integer overflow can happen in host driver while processing user controlled string due to improper validation on data received.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 03/04/2019
Customer Notified Date 10/07/2019
Affected Chipsets* QCN7605, QCS605, Rennell, SC8180X, SDA845, SDM710, SDX24, SDX55, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2019-10624

CVE ID CVE-2019-10624
Title Integer Overflow to Buffer Overflow in WLAN Host
Description While handling the vendor command there is an integer truncation issue that could yield a buffer overflow due to int data type copied to u8 data type
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 03/06/2019
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8096AU, MSM8996AU, QCA6574AU, QCN7605, Rennell, SC8180X, SDM710, SDX55, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2019-10625

CVE ID CVE-2019-10625
Title Buffer Over-read Issue in Diag Services
Description Out of bound access in diag services when DCI command buffer reallocation is not done properly with required capacity
Technology Area Core Services
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 06/15/2019
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, QCS605, Rennell, SC8180X, SDM429W, SDM710, SDX55, SM7150, SM8150
Patch*

* Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 April 6, 2020 Bulletin Published

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

©2020 Qualcomm Technologies, Inc. and/or its affiliated companies.

References to "Qualcomm" may mean Qualcomm Incorporated, or subsidiaries or business units within the Qualcomm corporate structure, as applicable.

Qualcomm Incorporated includes Qualcomm's licensing business, QTL, and the vast majority of its patent portfolio. Qualcomm Technologies, Inc., a wholly-owned subsidiary of Qualcomm Incorporated, operates, along with its subsidiaries, substantially all of Qualcomm's engineering, research and development functions, and substantially all of its products and services businesses. Qualcomm products referenced on this page are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Materials that are as of a specific date, including but not limited to press releases, presentations, blog posts and webcasts, may have been superseded by subsequent events or disclosures.

Nothing in these materials is an offer to sell any of the components or devices referenced herein.