April 2020 Security Bulletin

Version 1.1

Published: 04/06/2020

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices..

Please reach out to [email protected] for any questions related to this bulletin.

Table of Contents

Announcements::

Acknowledgements::

Proprietary Software Issues:::

Open Source Software Issues:

Industry Coordination:

Version History:

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2019-14131	aedla
CVE-2020-3650, CVE-2020-3652, CVE-2020-3653	Haikuo Xie and Ying Wang of Baidu X-lab
CVE-2019-14009	Arash Tohidi
CVE-2019-14018, CVE-2019-14021	Peter Park(peterpark)
CVE-2019-10556	Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2019-10574	Slava Makkaveev [email protected]
CVE-2019-10620	Jianqiang Zhao (jianqiangzhao)
CVE-2019-10623, CVE-2019-10624	D.2.Y.P (d2yp_)

Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID	Security Rating	Technology Area	Date Reported
CVE-2019-10575	Critical	Core	Internal
CVE-2019-10588	Critical	Data Modem	Internal
CVE-2019-10609	Critical	Data Modem	Internal
CVE-2019-14110	Critical	WLAN Firmware	Internal
CVE-2019-14111	Critical	WLAN Firmware	Internal
CVE-2019-14112	Critical	WLAN Firmware	Internal
CVE-2019-14113	Critical	WLAN Firmware	Internal
CVE-2019-14114	Critical	WLAN Firmware	Internal
CVE-2020-3650	Critical	WLAN Windows Host	12/28/2019
CVE-2019-10483	High	Core, QWES	Internal
CVE-2019-10551	High	Data Modem	Internal
CVE-2019-10589	High	QTEE	Internal
CVE-2019-10608	High	Content Protection	Internal
CVE-2019-10610	High	Data Modem	Internal
CVE-2019-14001	High	HLOS	Internal
CVE-2019-14007	High	Content Protection	Internal
CVE-2019-14009	High	NFC	05/21/2019
CVE-2019-14011	High	Multi-Mode Call Processor	Internal
CVE-2019-14012	High	Data Modem	Internal
CVE-2019-14018	High	WCDMA	07/08/2019
CVE-2019-14019	High	Multi-Mode Call Processor	Internal
CVE-2019-14020	High	Multi-Mode Call Processor	Internal
CVE-2019-14021	High	GPS	07/08/2019
CVE-2019-14022	High	Data Modem	Internal
CVE-2019-14033	High	Multi-Mode Call Processor	Internal
CVE-2019-14075	High	RIL	Internal
CVE-2019-14105	High	Camera Driver	Internal
CVE-2019-14116	High	WIN TZ FW	Internal
CVE-2019-14127	High	Video	Internal
CVE-2019-14134	High	WLAN Firmware	Internal
CVE-2019-14135	High	WLAN Firmware	Internal
CVE-2020-3652	High	WLAN Windows Host	12/28/2019
CVE-2020-3653	High	WLAN Windows Host	12/28/2019

This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

 

Public ID	Security Rating	Technology Area	Date Reported
CVE-2019-10523	Medium	Telephony	03/21/2019
CVE-2019-10574	Medium	HLOS	03/07/2019

CVE-2019-10575

CVE ID	CVE-2019-10575
Title	Improper Authentication Issue in WLAN
Description	Wlan binary which is not signed with OEM’s RoT is working on secure device without authentication failure
Technology Area	Core
Vulnerability Type	CWE-287 Improper Authentication
Access Vector	Local
Security Rating	Critical
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	SDA845, SDM845, SDM850

CVE-2019-10588

CVE ID	CVE-2019-10588
Title	Buffer Copy Without Checking Size of Input in Data Modem
Description	Copying RTCP messages into the output buffer without checking the destination buffer size which could lead to a remote stack overflow.
Technology Area	Data Modem
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Remote
Security Rating	Critical
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10609

CVE ID	CVE-2019-10609
Title	Improper Validation of Array Index in Modem Data
Description	Out of bound write can happen due to lack of check of array index value while calculating it.
Technology Area	Data Modem
Vulnerability Type	CWE-129 Improper Validation of Array Index
Access Vector	Remote
Security Rating	Critical
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14110

CVE ID	CVE-2019-14110
Title	Buffer Copy Without Checking Size of Input in WLAN
Description	Buffer overflow can occur in function wlan firmware while copying association frame content if frame length is more than the maximum buffer size in case of SAP mode
Technology Area	WLAN Firmware
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Remote
Security Rating	Critical
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8064, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14111

CVE ID	CVE-2019-14111
Title	Possible Buffer Overflow Issue in WLAN
Description	Possible buffer overflow while handling NAN reception of NMF
Technology Area	WLAN Firmware
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Remote
Security Rating	Critical
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	IPQ6018, IPQ8074, Nicobar, QCA6390, QCA8081, QCN7605, QCS404, QCS405, Rennell, SC7180, SC8180X, SM6150, SM7150, SM8150, SXR2130

CVE-2019-14112

CVE ID	CVE-2019-14112
Title	Buffer Copy Without Checking Size of Input in WLAN
Description	Potential buffer overflow while processing CBF frames due to lack of check of buffer length before copy
Technology Area	WLAN Firmware
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Remote
Security Rating	Critical
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	APQ8098, IPQ6018, IPQ8074, MSM8998, Nicobar, QCA8081, QCN7605, QCS404, QCS605, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14113

CVE ID	CVE-2019-14113
Title	Integer Overflow to Buffer Overflow Issue in WLAN
Description	Buffer overflow can occur in In WLAN firmware while unwraping data using CCMP cipher suite during parsing of EAPOL handshake frame
Technology Area	WLAN Firmware
Vulnerability Type	CWE-680 Integer Overflow to Buffer Overflow
Access Vector	Remote
Security Rating	Critical
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8064, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14114

CVE ID	CVE-2019-14114
Title	Integer Overflow to Buffer Overflow Issue in WLAN
Description	Buffer overflow in WLAN firmware while parsing GTK IE containing GTK key having length more than the buffer size
Technology Area	WLAN Firmware
Vulnerability Type	CWE-680 Integer Overflow to Buffer Overflow
Access Vector	Remote
Security Rating	Critical
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2020-3650

CVE ID	CVE-2020-3650
Title	Buffer Copy Without Checking Size of Input in WLAN
Description	Possible buffer overflow issues in IEEE80211 driver while processing IE entered by the user due to improper length check of data received.
Technology Area	WLAN Windows Host
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Remote
Security Rating	Critical
Date Reported	12/28/2019
Customer Notified Date	02/11/2020
Affected Chipsets*

CVE-2019-10483

CVE ID	CVE-2019-10483
Title	Information Exposure issue in QTEE
Description	Side channel issue in QTEE due to usage of non-time-constant comparison function such as memcmp or strcmp
Technology Area	Core, QWES
Vulnerability Type	CWE-200 Information Exposure
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8016, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCA8081, QCS404, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-10551

CVE ID	CVE-2019-10551
Title	String Errors in Modem Data
Description	String error while processing non standard SIP messages received can lead to buffer overread and then denial of service
Technology Area	Data Modem
Vulnerability Type	CWE-133 String Errors
Access Vector	Remote
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10589

CVE ID	CVE-2019-10589
Title	Buffer Copy Without Checking Size of Input in QTEE
Description	Lack of length check of response buffer can lead to buffer over-flow while GP command response buffer handling
Technology Area	QTEE
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8017, APQ8053, APQ8098, MDM9206, MDM9607, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, QM215, SDA660, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660

CVE-2019-10608

CVE ID	CVE-2019-10608
Title	Information Exposure Issue in Content Protection
Description	Information disclosure issue occurs as there is no binding between the secure keypad session and the secure display session that allows user to take control of the REE to stop the secure keypad session and read the keypad input.
Technology Area	Content Protection
Vulnerability Type	CWE-200 Information Exposure
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, MSM8905, MSM8909

CVE-2019-10610

CVE ID	CVE-2019-10610
Title	Buffer Over-read in Modem Data
Description	Possible buffer over read when trying to process SDP message Video media line with frame-size attribute in video Media line
Technology Area	Data Modem
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Remote
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14001

CVE ID	CVE-2019-14001
Title	Cryptographic Issue in HLOS
Description	Wrong public key usage from existing oem_keystore for hash generation
Technology Area	HLOS
Vulnerability Type	CWE-310 Cryptographic Issues
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, QM215, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDX20

CVE-2019-14007

CVE ID	CVE-2019-14007
Title	Information Exposure Issue in Content Protection
Description	Due to the use of non-time-constant comparison functions there is issue in timing side channels which can be used as a potential side channel for SUI corruption
Technology Area	Content Protection
Vulnerability Type	CWE-200 Information Exposure
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS404, QCS405, QCS605, QM215, Rennell, SA6155P, SC7180, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14009

CVE ID	CVE-2019-14009
Title	Use of Out of Range Pointer Offset Issue in Trustzone Application
Description	Out of bound memory access while processing TZ command handler due to improper input validation on response length received from user
Technology Area	NFC
Vulnerability Type	CWE-823 Use of Out-of-range Pointer Offset
Access Vector	Local
Security Rating	High
Date Reported	05/21/2019
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8098, MDM9150, MDM9607, MDM9650, MSM8905, MSM8909, MSM8998, SDA660, SDA845, SDM630, SDM636, SDM660, SDM845, SDM850, SXR2130

CVE-2019-14011

CVE ID	CVE-2019-14011
Title	Buffer Over-read Issue in Multi Mode Call Processor
Description	Multiple Read overflows issue due to improper length check while decoding 3G attach accept/ SMS/ pdn connection reject/ esm data transport/ bearer modify context reject
Technology Area	Multi-Mode Call Processor
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Remote
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14012

CVE ID	CVE-2019-14012
Title	Null Pointer Dereference Issue in Modem Data
Description	Possibility of null pointer deference as the array of video codecs from media info is referenced without null checking while processing SDP messages
Technology Area	Data Modem
Vulnerability Type	CWE-476 NULL Pointer Dereference
Access Vector	Remote
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, Nicobar, QCM2150, QM215, Rennell, SC7180, SC8180X, SDA845, SDM429, SDM439, SDM450, SDM632, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150

CVE-2019-14018

CVE ID	CVE-2019-14018
Title	Improper Validation of Array Index in WCDMA
Description	Possible out of bound array access as there is no check on carrier index passed
Technology Area	WCDMA
Vulnerability Type	CWE-129 Improper Validation of Array Index
Access Vector	Local
Security Rating	High
Date Reported	07/08/2019
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14019

CVE ID	CVE-2019-14019
Title	Buffer over-read Issue in Multi Mode Call Processor
Description	Multiple Read overflows issue due to improper length check while decoding RAU accept/PDN disconnect Rej/Modify EPS ctxt req/bearer resource alloc Rej/Deact EPs bearer REq
Technology Area	Multi-Mode Call Processor
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Remote
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14020

CVE ID	CVE-2019-14020
Title	Buffer over-read Issue in Multi Mode Call Processor
Description	Multiple Read overflows issue due to improper length check while decoding dedicated_eps_bearer_req/ act_def_context_req/ cs_serv_notification/ emm_info/ guti_realloc_cmd
Technology Area	Multi-Mode Call Processor
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Remote
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14021

CVE ID	CVE-2019-14021
Title	Buffer Copy Without Checking Size of Input in GPS Subsystem
Description	Possible buffer overrun when processing EFS filename and payload sent over diag interface due to lack of check for filename length and payload size received
Technology Area	GPS
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Local
Security Rating	High
Date Reported	07/08/2019
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14022

CVE ID	CVE-2019-14022
Title	Reachable Assertion in Modem Data
Description	Error occurs While extracting the ipv6_header having an invalid length due to lack of length check
Technology Area	Data Modem
Vulnerability Type	CWE-617 Reachable Assertion
Access Vector	Remote
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8096AU, MDM9205, MDM9206, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14033

CVE ID	CVE-2019-14033
Title	Buffer Over-read Issue in Multi Mode Call Processor
Description	Multiple Read overflows issue due to improper length check while decoding tau reject/tau accept/detach request/attach reject/attach accept
Technology Area	Multi-Mode Call Processor
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Remote
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14075

CVE ID	CVE-2019-14075
Title	Null Pointer Dereference Issue in Radio Interface layer
Description	Null pointer dereference issue in radio interface layer due to lack of null check in sapmodule destructor
Technology Area	RIL
Vulnerability Type	CWE-476 NULL Pointer Dereference
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	12/02/2019
Affected Chipsets*	MDM9607, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, Nicobar, QCS605, Rennell, Saipan, SDM450, SDM630, SDM636, SDM660, SDM670, SDM710, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2019-14105

CVE ID	CVE-2019-14105
Title	Stack Based Buffer Overflow in Camera
Description	Kernel was reading the CSL defined reserved field as uint16 instead of uint32 which could lead to memory overflow
Technology Area	Camera Driver
Vulnerability Type	CWE-121 Stack-based Buffer Overflow
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	SDA845, SDM845, SM8150

CVE-2019-14116

CVE ID	CVE-2019-14116
Title	Permissions, Privileges and Access Control Issue in Trustzone
Description	Privilege escalation by using an altered debug policy image can occur as the XPU protecting the debug policy regions are disabled during the crash dump boot flow
Technology Area	WIN TZ FW
Vulnerability Type	CWE-264 Permissions, Privileges, and Access Controls
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	IPQ6018

CVE-2019-14127

CVE ID	CVE-2019-14127
Title	Buffer Copy Without Checking Size of Input in Video
Description	Possible buffer overflow while playing mkv clip due to lack of validation of atom size buffer
Technology Area	Video
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Remote
Security Rating	High
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14134

CVE ID	CVE-2019-14134
Title	Buffer Over-read Issue in WLAN
Description	Possible out of bound access in WLAN handler when the received value of length in rx path is shorter than the expected value of country IE
Technology Area	WLAN Firmware
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Remote
Security Rating	High
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	IPQ8074, QCA8081, QCS605, SDA845, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14135

CVE ID	CVE-2019-14135
Title	Buffer Copy Without Checking Size of Input in WLAN
Description	Possible integer overflow to buffer overflow in WLAN while parsing nonstandard NAN IE messages.
Technology Area	WLAN Firmware
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA4010, QCA6174A, QCA6574AU, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS405, QCS605, SA6155P, Saipan, SDA845, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130

CVE-2020-3652

CVE ID	CVE-2020-3652
Title	Buffer Over-read Issue in WLAN
Description	Possible buffer over-read issue in windows x86 wlan driver function while processing beacon or request frame due to lack of check of length of variable received.
Technology Area	WLAN Windows Host
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Remote
Security Rating	High
Date Reported	12/28/2019
Customer Notified Date	02/11/2020
Affected Chipsets*	MSM8998, QCA6390, SC7180, SC8180X, SDM850

CVE-2020-3653

CVE ID	CVE-2020-3653
Title	Buffer Over-read Issue in WLAN
Description	Possible buffer over-read in windows wlan driver function due to lack of check of length of variable received from userspace
Technology Area	WLAN Windows Host
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Remote
Security Rating	High
Date Reported	12/28/2019
Customer Notified Date	02/11/2020
Affected Chipsets*	MSM8998, QCA6390, SC7180, SC8180X, SDM850

CVE-2019-10523

CVE ID	CVE-2019-10523
Title	Information Exposure Issue in Telephony
Description	Target specific data is being sent to remote server and leads to information exposure
Technology Area	Telephony
Vulnerability Type	CWE-200 Information Exposure
Access Vector	Local
Security Rating	Medium
Date Reported	03/21/2019
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8053, APQ8096AU, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCA6574AU, QCS605, Rennell, SDA660, SDM429W, SDM439, SDM450, SDM710, SDM845, SM7150, SM8150, SM8250, SXR2130

CVE-2019-10574

CVE ID	CVE-2019-10574
Title	Buffer Over-read Issue in HLOS
Description	Lack of boundary checks for data offsets received from HLOS can lead to out-of-bound read
Technology Area	HLOS
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Local
Security Rating	Medium
Date Reported	03/07/2019
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8016, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCM2150, QCS605, QM215, Rennell, SC7180, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130

* Data is generated only at the time of bulletin creation

Open Source Software Issues

The tables below summarize security vulnerabilities that were addressed through open source software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID	Security Rating	Technology Area	Date Reported
CVE-2019-14131	Critical	WLAN HOST	11/12/2019
CVE-2019-14070	High	Audio	Internal
CVE-2019-14104	High	Camera Driver	Internal
CVE-2019-14122	High	Qualcomm IPC	Internal
CVE-2019-14132	High	Video	Internal
CVE-2020-3651	High	WLAN HOST	10/14/2019

This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

Public ID	Security Rating	Technology Area	Date Reported
CVE-2019-10547	Medium	Kernel	03/26/2019
CVE-2019-10556	Medium	Display	12/21/2018
CVE-2019-10620	Medium	Display	12/26/2017
CVE-2019-10621	Medium	NPU	07/22/2019
CVE-2019-10622	Medium	Audio	07/15/2019
CVE-2019-10623	Medium	WLAN HOST	03/04/2019
CVE-2019-10624	Medium	WLAN HOST	03/06/2019
CVE-2019-10625	Medium	Core Services	06/15/2019

CVE-2019-14131

CVE ID	CVE-2019-14131
Title	Improper Validation of Array Index in WLAN
Description	Out of bound write can occur in radio measurement request if STA receives multiple invalid rrm measurement request from AP
Technology Area	WLAN HOST
Vulnerability Type	CWE-129 Improper Validation of Array Index
Access Vector	Remote
Security Rating	Critical
Date Reported	11/12/2019
Customer Notified Date	01/06/2020
Affected Chipsets*	APQ8053, APQ8096AU, MSM8998, Nicobar, QCA6574AU, QCS605, Rennell, SA6155P, Saipan, SC8180X, SDM660, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=99a1b58a1f9f6420cf1400f2399643310cf70e2b

CVE-2019-14070

CVE ID	CVE-2019-14070
Title	Use After Free Issue in Audio
Description	Possible use after free issue in pcm volume controls due to race condition exist in private data used in mixer controls
Technology Area	Audio
Vulnerability Type	CWE-416 Use After Free
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*	https://source.codeaurora.org/quic/la/platform/vendor/opensource/audio-kernel/commit/?id=7f82880c4843aa61cbc1bcbeeced68ce4fc2c709 https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=32f201b2097ea94be8a084311e0fe4fd84837b18 https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=4e4e344db412a774d98a3405410ea2ec89ba9de6 https://source.codeaurora.org/quic/la/platform/vendor/opensource/audio-kernel/commit/?id=84408bbdecd0444b6a4e743dbdf9b1f093ee0e6f

CVE-2019-14104

CVE ID	CVE-2019-14104
Title	Buffer Over-read Issue in Camera
Description	Slab-out-of-bounds access can occur if the context pointer is invalid due to lack of null check on pointer before accessing it
Technology Area	Camera Driver
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	APQ8053, SC8180X, SDX55, SM8150
Patch*	https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=9910e89b27224fbddbf7d15d307597e13d9b9258

CVE-2019-14122

CVE ID	CVE-2019-14122
Title	Detection of Error Condition without Action in Qualcomm IPC
Description	Memory failure in SKB if it fails to to add the requested padding to the skb in low memory targets or targets with major memory fragmentation
Technology Area	Qualcomm IPC
Vulnerability Type	CWE-390 Detection of Error Condition Without Action
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	Saipan, SM8150, SM8250, SXR2130
Patch*	https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=870f0ba0fc05bc6ebac1486b39dc9d94c993eafb

CVE-2019-14132

CVE ID	CVE-2019-14132
Title	Reachable Assertion in Video
Description	Buffer over-write when this 0-byte buffer is typecasted to some other structure and hence memory corruption
Technology Area	Video
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Remote
Security Rating	High
Date Reported	Internal
Customer Notified Date	01/06/2020
Affected Chipsets*	QCS605, SA6155P, SM8150
Patch*	https://source.codeaurora.org/quic/le/platform/hardware/qcom/media/commit/?id=9e80e1db4b56b42f9150d4d51166560d10839f5f

CVE-2020-3651

CVE ID	CVE-2020-3651
Title	Reachable Assertion in WLAN
Description	Active command timeout since WM status change cmd is not removed from active queue if peer sends multiple deauth frames.
Technology Area	WLAN HOST
Vulnerability Type	CWE-617 Reachable Assertion
Access Vector	Remote
Security Rating	High
Date Reported	10/14/2019
Customer Notified Date	02/03/2020
Affected Chipsets*	APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS605, QM215, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8150, SXR1130
Patch*	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=6c909ebd4482fa961cad153fb5ce313ba9e4a6ae https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=d771c3a15fe60612f32ef7c8a515f3e2aa0c3183 https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=ce6b5f3855eefbfc622fc48df1f6ff826ce1dd27

CVE-2019-10547

CVE ID	CVE-2019-10547
Title	Uncontrolled Resource Consumption in Kernel
Description	When issuing IOCTL calls to ION, Memory leak can occur due to failure in unassign pages under certain conditions
Technology Area	Kernel
Vulnerability Type	CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Access Vector	Local
Security Rating	Medium
Date Reported	03/26/2019
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8053, APQ8096AU, APQ8098, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8953, MSM8996AU, Nicobar, QCN7605, QCS605, Rennell, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM710, SDX24, SDX55, SM7150, SM8150, SM8250, SXR2130
Patch*	https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=0407b58297779744d1f569afe4ad8d66dc5a6237

CVE-2019-10556

CVE ID	CVE-2019-10556
Title	Buffer Copy Without Checking Size of Input in Display
Description	Missing length check before copying the data from kernel space to userspace through the copy function can lead to buffer overflow in some cases
Technology Area	Display
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Local
Security Rating	Medium
Date Reported	12/21/2018
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8053, APQ8096AU, MSM8909W, MSM8917, MSM8953, Nicobar, QCN7605, QCS405, QCS605, QM215, Rennell, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*	https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=0332c85157bb7e48793b9a5cd3bfdc22b6826d63

CVE-2019-10620

CVE ID	CVE-2019-10620
Title	Buffer Copy Without Checking Size of Input in Display
Description	Kernel memory error in debug module due to improper check of user data length before copying into memory
Technology Area	Display
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Local
Security Rating	Medium
Date Reported	12/26/2017
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8096AU, APQ8098, MSM8996AU, QCN7605, SDM439, SDX24, SM8150
Patch*	https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=b569d761610cac60b8ffd4a61b2b168e74b9c27f

CVE-2019-10621

CVE ID	CVE-2019-10621
Title	Use After Free Issue in Neural Processing Unit
Description	Use after free issue when MAP and UNMAP calls at same time as data structure used my MAP may be freed by UNMAP function
Technology Area	NPU
Vulnerability Type	CWE-416 Use After Free
Access Vector	Local
Security Rating	Medium
Date Reported	07/22/2019
Customer Notified Date	10/07/2019
Affected Chipsets*	Nicobar, QCS405, Rennell, Saipan, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*	https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=c07af6ed22ed8b930422268501366816559af650

CVE-2019-10622

CVE ID	CVE-2019-10622
Title	Buffer Over-read issue in Audio
Description	Out of bound memory access can happen while parsing ADSP message due to lack of check of size of payload received from userspace
Technology Area	Audio
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Local
Security Rating	Medium
Date Reported	07/15/2019
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8096AU, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, QCN7605, QCS605, SC8180X, SDM710, SDX24, SDX55, SM8150, SM8250, SXR2130
Patch*	https://source.codeaurora.org/quic/la/platform/vendor/opensource/audio-kernel/commit/?id=43ceb1d1fa4f7411f1bea5ea95ad1ca692daa6d3 https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=4b6fb386eeaa3e16215963c32d27ada762ace428

CVE-2019-10623

CVE ID	CVE-2019-10623
Title	Integer Overflow to Buffer Overflow in WLAN Host
Description	Possible integer overflow can happen in host driver while processing user controlled string due to improper validation on data received.
Technology Area	WLAN HOST
Vulnerability Type	CWE-680 Integer Overflow to Buffer Overflow
Access Vector	Local
Security Rating	Medium
Date Reported	03/04/2019
Customer Notified Date	10/07/2019
Affected Chipsets*	QCN7605, QCS605, Rennell, SC8180X, SDA845, SDM710, SDX24, SDX55, SM7150, SM8150, SM8250, SXR2130
Patch*	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=aaa0f882f6e4b8f6735798379facb08f2f5a17dd

CVE-2019-10624

CVE ID	CVE-2019-10624
Title	Integer Overflow to Buffer Overflow in WLAN Host
Description	While handling the vendor command there is an integer truncation issue that could yield a buffer overflow due to int data type copied to u8 data type
Technology Area	WLAN HOST
Vulnerability Type	CWE-680 Integer Overflow to Buffer Overflow
Access Vector	Local
Security Rating	Medium
Date Reported	03/06/2019
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8096AU, MSM8996AU, QCA6574AU, QCN7605, Rennell, SC8180X, SDM710, SDX55, SM7150, SM8150, SM8250, SXR2130
Patch*	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=b2d3cf8b4ff14ef932fa7c3632c06e88e7114d8a

CVE-2019-10625

CVE ID	CVE-2019-10625
Title	Buffer Over-read Issue in Diag Services
Description	Out of bound access in diag services when DCI command buffer reallocation is not done properly with required capacity
Technology Area	Core Services
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Local
Security Rating	Medium
Date Reported	06/15/2019
Customer Notified Date	10/07/2019
Affected Chipsets*	APQ8009, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, QCS605, Rennell, SC8180X, SDM429W, SDM710, SDX55, SM7150, SM8150
Patch*	https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=1e6b38b163e286754b8d1e1424a3dd543936ed24

* Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

• Consideration of security protections such as SELinux not enforced on some platforms
• Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version	Date	Comments
1.0	April 6, 2020	Bulletin Published
1.1	Nov 17, 2020	CVE-2020-3651 removed from acknowledgments

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.