This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices..
Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.
Announcements: |
Acknowledgements: |
Proprietary Software Issues: |
Open Source Software Issues: |
Industry Coordination: |
Version History: |
None.
We would like to thank these researchers for their contributions in reporting these issues to us.
CVE-2019-14131 | aedla |
CVE-2020-3650, CVE-2020-3652, CVE-2020-3653 | Haikuo Xie and Ying Wang of Baidu X-lab |
CVE-2019-14009 | Arash Tohidi |
CVE-2019-14018, CVE-2019-14021 | Peter Park(peterpark) |
CVE-2019-10556 | Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
CVE-2019-10574 | Slava Makkaveev slavam@checkpoint.com |
CVE-2019-10620 | Jianqiang Zhao (jianqiangzhao) |
CVE-2019-10623, CVE-2019-10624 | D.2.Y.P (d2yp_) |
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
Public ID | Security Rating | Technology Area | Date Reported |
CVE-2019-10575 | Critical | Core | Internal |
CVE-2019-10588 | Critical | Data Modem | Internal |
CVE-2019-10609 | Critical | Data Modem | Internal |
CVE-2019-14110 | Critical | WLAN Firmware | Internal |
CVE-2019-14111 | Critical | WLAN Firmware | Internal |
CVE-2019-14112 | Critical | WLAN Firmware | Internal |
CVE-2019-14113 | Critical | WLAN Firmware | Internal |
CVE-2019-14114 | Critical | WLAN Firmware | Internal |
CVE-2020-3650 | Critical | WLAN Windows Host | 12/28/2019 |
CVE-2019-10483 | High | Core, QWES | Internal |
CVE-2019-10551 | High | Data Modem | Internal |
CVE-2019-10589 | High | QTEE | Internal |
CVE-2019-10608 | High | Content Protection | Internal |
CVE-2019-10610 | High | Data Modem | Internal |
CVE-2019-14001 | High | HLOS | Internal |
CVE-2019-14007 | High | Content Protection | Internal |
CVE-2019-14009 | High | NFC | 05/21/2019 |
CVE-2019-14011 | High | Multi-Mode Call Processor | Internal |
CVE-2019-14012 | High | Data Modem | Internal |
CVE-2019-14018 | High | WCDMA | 07/08/2019 |
CVE-2019-14019 | High | Multi-Mode Call Processor | Internal |
CVE-2019-14020 | High | Multi-Mode Call Processor | Internal |
CVE-2019-14021 | High | GPS | 07/08/2019 |
CVE-2019-14022 | High | Data Modem | Internal |
CVE-2019-14033 | High | Multi-Mode Call Processor | Internal |
CVE-2019-14075 | High | RIL | Internal |
CVE-2019-14105 | High | Camera Driver | Internal |
CVE-2019-14116 | High | WIN TZ FW | Internal |
CVE-2019-14127 | High | Video | Internal |
CVE-2019-14134 | High | WLAN Firmware | Internal |
CVE-2019-14135 | High | WLAN Firmware | Internal |
CVE-2020-3652 | High | WLAN Windows Host | 12/28/2019 |
CVE-2020-3653 | High | WLAN Windows Host | 12/28/2019 |
This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
Public ID | Security Rating | Technology Area | Date Reported |
CVE-2019-10523 | Medium | Telephony | 03/21/2019 |
CVE-2019-10574 | Medium | HLOS | 03/07/2019 |
CVE ID | CVE-2019-10575 |
Title | Improper Authentication Issue in WLAN |
Description | Wlan binary which is not signed with OEM’s RoT is working on secure device without authentication failure |
Technology Area | Core |
Vulnerability Type | CWE-287 Improper Authentication |
Access Vector | Local |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | SDA845, SDM845, SDM850 |
CVE ID | CVE-2019-10588 |
Title | Buffer Copy Without Checking Size of Input in Data Modem |
Description | Copying RTCP messages into the output buffer without checking the destination buffer size which could lead to a remote stack overflow. |
Technology Area | Data Modem |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-10609 |
Title | Improper Validation of Array Index in Modem Data |
Description | Out of bound write can happen due to lack of check of array index value while calculating it. |
Technology Area | Data Modem |
Vulnerability Type | CWE-129 Improper Validation of Array Index |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-14110 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | Buffer overflow can occur in function wlan firmware while copying association frame content if frame length is more than the maximum buffer size in case of SAP mode |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE ID | CVE-2019-14111 |
Title | Possible Buffer Overflow Issue in WLAN |
Description | Possible buffer overflow while handling NAN reception of NMF |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | IPQ6018, IPQ8074, Nicobar, QCA6390, QCA8081, QCN7605, QCS404, QCS405, Rennell, SC7180, SC8180X, SM6150, SM7150, SM8150, SXR2130 |
CVE ID | CVE-2019-14112 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | Potential buffer overflow while processing CBF frames due to lack of check of buffer length before copy |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | APQ8098, IPQ6018, IPQ8074, MSM8998, Nicobar, QCA8081, QCN7605, QCS404, QCS605, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE ID | CVE-2019-14113 |
Title | Integer Overflow to Buffer Overflow Issue in WLAN |
Description | Buffer overflow can occur in In WLAN firmware while unwraping data using CCMP cipher suite during parsing of EAPOL handshake frame |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE ID | CVE-2019-14114 |
Title | Integer Overflow to Buffer Overflow Issue in WLAN |
Description | Buffer overflow in WLAN firmware while parsing GTK IE containing GTK key having length more than the buffer size |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE ID | CVE-2020-3650 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | Possible buffer overflow issues in IEEE80211 driver while processing IE entered by the user due to improper length check of data received. |
Technology Area | WLAN Windows Host |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | 12/28/2019 |
Customer Notified Date | 02/11/2020 |
Affected Chipsets* |
CVE ID | CVE-2019-10483 |
Title | Information Exposure issue in QTEE |
Description | Side channel issue in QTEE due to usage of non-time-constant comparison function such as memcmp or strcmp |
Technology Area | Core, QWES |
Vulnerability Type | CWE-200 Information Exposure |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8016, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCA8081, QCS404, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE ID | CVE-2019-10551 |
Title | String Errors in Modem Data |
Description | String error while processing non standard SIP messages received can lead to buffer overread and then denial of service |
Technology Area | Data Modem |
Vulnerability Type | CWE-133 String Errors |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-10589 |
Title | Buffer Copy Without Checking Size of Input in QTEE |
Description | Lack of length check of response buffer can lead to buffer over-flow while GP command response buffer handling |
Technology Area | QTEE |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8017, APQ8053, APQ8098, MDM9206, MDM9607, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, QM215, SDA660, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660 |
CVE ID | CVE-2019-10608 |
Title | Information Exposure Issue in Content Protection |
Description | Information disclosure issue occurs as there is no binding between the secure keypad session and the secure display session that allows user to take control of the REE to stop the secure keypad session and read the keypad input. |
Technology Area | Content Protection |
Vulnerability Type | CWE-200 Information Exposure |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, MSM8905, MSM8909 |
CVE ID | CVE-2019-10610 |
Title | Buffer Over-read in Modem Data |
Description | Possible buffer over read when trying to process SDP message Video media line with frame-size attribute in video Media line |
Technology Area | Data Modem |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-14001 |
Title | Cryptographic Issue in HLOS |
Description | Wrong public key usage from existing oem_keystore for hash generation |
Technology Area | HLOS |
Vulnerability Type | CWE-310 Cryptographic Issues |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, QM215, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDX20 |
CVE ID | CVE-2019-14007 |
Title | Information Exposure Issue in Content Protection |
Description | Due to the use of non-time-constant comparison functions there is issue in timing side channels which can be used as a potential side channel for SUI corruption |
Technology Area | Content Protection |
Vulnerability Type | CWE-200 Information Exposure |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS404, QCS405, QCS605, QM215, Rennell, SA6155P, SC7180, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE ID | CVE-2019-14009 |
Title | Use of Out of Range Pointer Offset Issue in Trustzone Application |
Description | Out of bound memory access while processing TZ command handler due to improper input validation on response length received from user |
Technology Area | NFC |
Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
Access Vector | Local |
Security Rating | High |
Date Reported | 05/21/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8098, MDM9150, MDM9607, MDM9650, MSM8905, MSM8909, MSM8998, SDA660, SDA845, SDM630, SDM636, SDM660, SDM845, SDM850, SXR2130 |
CVE ID | CVE-2019-14011 |
Title | Buffer Over-read Issue in Multi Mode Call Processor |
Description | Multiple Read overflows issue due to improper length check while decoding 3G attach accept/ SMS/ pdn connection reject/ esm data transport/ bearer modify context reject |
Technology Area | Multi-Mode Call Processor |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-14012 |
Title | Null Pointer Dereference Issue in Modem Data |
Description | Possibility of null pointer deference as the array of video codecs from media info is referenced without null checking while processing SDP messages |
Technology Area | Data Modem |
Vulnerability Type | CWE-476 NULL Pointer Dereference |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, Nicobar, QCM2150, QM215, Rennell, SC7180, SC8180X, SDA845, SDM429, SDM439, SDM450, SDM632, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150 |
CVE ID | CVE-2019-14018 |
Title | Improper Validation of Array Index in WCDMA |
Description | Possible out of bound array access as there is no check on carrier index passed |
Technology Area | WCDMA |
Vulnerability Type | CWE-129 Improper Validation of Array Index |
Access Vector | Local |
Security Rating | High |
Date Reported | 07/08/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-14019 |
Title | Buffer over-read Issue in Multi Mode Call Processor |
Description | Multiple Read overflows issue due to improper length check while decoding RAU accept/PDN disconnect Rej/Modify EPS ctxt req/bearer resource alloc Rej/Deact EPs bearer REq |
Technology Area | Multi-Mode Call Processor |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-14020 |
Title | Buffer over-read Issue in Multi Mode Call Processor |
Description | Multiple Read overflows issue due to improper length check while decoding dedicated_eps_bearer_req/ act_def_context_req/ cs_serv_notification/ emm_info/ guti_realloc_cmd |
Technology Area | Multi-Mode Call Processor |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-14021 |
Title | Buffer Copy Without Checking Size of Input in GPS Subsystem |
Description | Possible buffer overrun when processing EFS filename and payload sent over diag interface due to lack of check for filename length and payload size received |
Technology Area | GPS |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | High |
Date Reported | 07/08/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-14022 |
Title | Reachable Assertion in Modem Data |
Description | Error occurs While extracting the ipv6_header having an invalid length due to lack of length check |
Technology Area | Data Modem |
Vulnerability Type | CWE-617 Reachable Assertion |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8096AU, MDM9205, MDM9206, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-14033 |
Title | Buffer Over-read Issue in Multi Mode Call Processor |
Description | Multiple Read overflows issue due to improper length check while decoding tau reject/tau accept/detach request/attach reject/attach accept |
Technology Area | Multi-Mode Call Processor |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-14075 |
Title | Null Pointer Dereference Issue in Radio Interface layer |
Description | Null pointer dereference issue in radio interface layer due to lack of null check in sapmodule destructor |
Technology Area | RIL |
Vulnerability Type | CWE-476 NULL Pointer Dereference |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | MDM9607, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, Nicobar, QCS605, Rennell, Saipan, SDM450, SDM630, SDM636, SDM660, SDM670, SDM710, SM6150, SM7150, SM8150, SM8250, SXR2130 |
CVE ID | CVE-2019-14105 |
Title | Stack Based Buffer Overflow in Camera |
Description | Kernel was reading the CSL defined reserved field as uint16 instead of uint32 which could lead to memory overflow |
Technology Area | Camera Driver |
Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | SDA845, SDM845, SM8150 |
CVE ID | CVE-2019-14116 |
Title | Permissions, Privileges and Access Control Issue in Trustzone |
Description | Privilege escalation by using an altered debug policy image can occur as the XPU protecting the debug policy regions are disabled during the crash dump boot flow |
Technology Area | WIN TZ FW |
Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | IPQ6018 |
CVE ID | CVE-2019-14127 |
Title | Buffer Copy Without Checking Size of Input in Video |
Description | Possible buffer overflow while playing mkv clip due to lack of validation of atom size buffer |
Technology Area | Video |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-14134 |
Title | Buffer Over-read Issue in WLAN |
Description | Possible out of bound access in WLAN handler when the received value of length in rx path is shorter than the expected value of country IE |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | IPQ8074, QCA8081, QCS605, SDA845, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-14135 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | Possible integer overflow to buffer overflow in WLAN while parsing nonstandard NAN IE messages. |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA4010, QCA6174A, QCA6574AU, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS405, QCS605, SA6155P, Saipan, SDA845, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2020-3652 |
Title | Buffer Over-read Issue in WLAN |
Description | Possible buffer over-read issue in windows x86 wlan driver function while processing beacon or request frame due to lack of check of length of variable received. |
Technology Area | WLAN Windows Host |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | 12/28/2019 |
Customer Notified Date | 02/11/2020 |
Affected Chipsets* | MSM8998, QCA6390, SC7180, SC8180X, SDM850 |
CVE ID | CVE-2020-3653 |
Title | Buffer Over-read Issue in WLAN |
Description | Possible buffer over-read in windows wlan driver function due to lack of check of length of variable received from userspace |
Technology Area | WLAN Windows Host |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | 12/28/2019 |
Customer Notified Date | 02/11/2020 |
Affected Chipsets* | MSM8998, QCA6390, SC7180, SC8180X, SDM850 |
CVE ID | CVE-2019-10523 |
Title | Information Exposure Issue in Telephony |
Description | Target specific data is being sent to remote server and leads to information exposure |
Technology Area | Telephony |
Vulnerability Type | CWE-200 Information Exposure |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 03/21/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCA6574AU, QCS605, Rennell, SDA660, SDM429W, SDM439, SDM450, SDM710, SDM845, SM7150, SM8150, SM8250, SXR2130 |
CVE ID | CVE-2019-10574 |
Title | Buffer Over-read Issue in HLOS |
Description | Lack of boundary checks for data offsets received from HLOS can lead to out-of-bound read |
Technology Area | HLOS |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 03/07/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8016, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCM2150, QCS605, QM215, Rennell, SC7180, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
* Data is generated only at the time of bulletin creation
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
Public ID | Security Rating | Technology Area | Date Reported |
CVE-2019-14131 | Critical | WLAN HOST | 11/12/2019 |
CVE-2019-14070 | High | Audio | Internal |
CVE-2019-14104 | High | Camera Driver | Internal |
CVE-2019-14122 | High | Qualcomm IPC | Internal |
CVE-2019-14132 | High | Video | Internal |
CVE-2020-3651 | High | WLAN HOST | 10/14/2019 |
This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
Public ID | Security Rating | Technology Area | Date Reported |
CVE-2019-10547 | Medium | Kernel | 03/26/2019 |
CVE-2019-10556 | Medium | Display | 12/21/2018 |
CVE-2019-10620 | Medium | Display | 12/26/2017 |
CVE-2019-10621 | Medium | NPU | 07/22/2019 |
CVE-2019-10622 | Medium | Audio | 07/15/2019 |
CVE-2019-10623 | Medium | WLAN HOST | 03/04/2019 |
CVE-2019-10624 | Medium | WLAN HOST | 03/06/2019 |
CVE-2019-10625 | Medium | Core Services | 06/15/2019 |
CVE ID | CVE-2019-14131 |
Title | Improper Validation of Array Index in WLAN |
Description | Out of bound write can occur in radio measurement request if STA receives multiple invalid rrm measurement request from AP |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-129 Improper Validation of Array Index |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | 11/12/2019 |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | APQ8053, APQ8096AU, MSM8998, Nicobar, QCA6574AU, QCS605, Rennell, SA6155P, Saipan, SC8180X, SDM660, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
Patch* |
CVE ID | CVE-2019-14070 |
Title | Use After Free Issue in Audio |
Description | Possible use after free issue in pcm volume controls due to race condition exist in private data used in mixer controls |
Technology Area | Audio |
Vulnerability Type | CWE-416 Use After Free |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
Patch* |
|
CVE ID | CVE-2019-14104 |
Title | Buffer Over-read Issue in Camera |
Description | Slab-out-of-bounds access can occur if the context pointer is invalid due to lack of null check on pointer before accessing it |
Technology Area | Camera Driver |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | APQ8053, SC8180X, SDX55, SM8150 |
Patch* |
CVE ID | CVE-2019-14122 |
Title | Detection of Error Condition without Action in Qualcomm IPC |
Description | Memory failure in SKB if it fails to to add the requested padding to the skb in low memory targets or targets with major memory fragmentation |
Technology Area | Qualcomm IPC |
Vulnerability Type | CWE-390 Detection of Error Condition Without Action |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | Saipan, SM8150, SM8250, SXR2130 |
Patch* |
CVE ID | CVE-2019-14132 |
Title | Reachable Assertion in Video |
Description | Buffer over-write when this 0-byte buffer is typecasted to some other structure and hence memory corruption |
Technology Area | Video |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | QCS605, SA6155P, SM8150 |
Patch* |
CVE ID | CVE-2020-3651 |
Title | Reachable Assertion in WLAN |
Description | Active command timeout since WM status change cmd is not removed from active queue if peer sends multiple deauth frames. |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-617 Reachable Assertion |
Access Vector | Remote |
Security Rating | High |
Date Reported | 10/14/2019 |
Customer Notified Date | 02/03/2020 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS605, QM215, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8150, SXR1130 |
Patch* |
|
CVE ID | CVE-2019-10547 |
Title | Uncontrolled Resource Consumption in Kernel |
Description | When issuing IOCTL calls to ION, Memory leak can occur due to failure in unassign pages under certain conditions |
Technology Area | Kernel |
Vulnerability Type | CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion') |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 03/26/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, APQ8098, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8953, MSM8996AU, Nicobar, QCN7605, QCS605, Rennell, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM710, SDX24, SDX55, SM7150, SM8150, SM8250, SXR2130 |
Patch* |
CVE ID | CVE-2019-10556 |
Title | Buffer Copy Without Checking Size of Input in Display |
Description | Missing length check before copying the data from kernel space to userspace through the copy function can lead to buffer overflow in some cases |
Technology Area | Display |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 12/21/2018 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, MSM8909W, MSM8917, MSM8953, Nicobar, QCN7605, QCS405, QCS605, QM215, Rennell, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
Patch* |
CVE ID | CVE-2019-10620 |
Title | Buffer Copy Without Checking Size of Input in Display |
Description | Kernel memory error in debug module due to improper check of user data length before copying into memory |
Technology Area | Display |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 12/26/2017 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8096AU, APQ8098, MSM8996AU, QCN7605, SDM439, SDX24, SM8150 |
Patch* |
CVE ID | CVE-2019-10621 |
Title | Use After Free Issue in Neural Processing Unit |
Description | Use after free issue when MAP and UNMAP calls at same time as data structure used my MAP may be freed by UNMAP function |
Technology Area | NPU |
Vulnerability Type | CWE-416 Use After Free |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 07/22/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | Nicobar, QCS405, Rennell, Saipan, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
Patch* |
CVE ID | CVE-2019-10622 |
Title | Buffer Over-read issue in Audio |
Description | Out of bound memory access can happen while parsing ADSP message due to lack of check of size of payload received from userspace |
Technology Area | Audio |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 07/15/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8096AU, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, QCN7605, QCS605, SC8180X, SDM710, SDX24, SDX55, SM8150, SM8250, SXR2130 |
Patch* |
CVE ID | CVE-2019-10623 |
Title | Integer Overflow to Buffer Overflow in WLAN Host |
Description | Possible integer overflow can happen in host driver while processing user controlled string due to improper validation on data received. |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 03/04/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | QCN7605, QCS605, Rennell, SC8180X, SDA845, SDM710, SDX24, SDX55, SM7150, SM8150, SM8250, SXR2130 |
Patch* |
CVE ID | CVE-2019-10624 |
Title | Integer Overflow to Buffer Overflow in WLAN Host |
Description | While handling the vendor command there is an integer truncation issue that could yield a buffer overflow due to int data type copied to u8 data type |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 03/06/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8096AU, MSM8996AU, QCA6574AU, QCN7605, Rennell, SC8180X, SDM710, SDX55, SM7150, SM8150, SM8250, SXR2130 |
Patch* |
CVE ID | CVE-2019-10625 |
Title | Buffer Over-read Issue in Diag Services |
Description | Out of bound access in diag services when DCI command buffer reallocation is not done properly with required capacity |
Technology Area | Core Services |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 06/15/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, QCS605, Rennell, SC8180X, SDM429W, SDM710, SDX55, SM7150, SM8150 |
Patch* |
* Data is generated only at the time of bulletin creation
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
Version | Date | Comments |
1.0 | April 6, 2020 | Bulletin Published |
1.1 | Nov 17, 2020 | CVE-2020-3651 removed from acknowledgments |
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.
©2021 Qualcomm Technologies, Inc. and/or its affiliated companies.