August 2020 Security Bulletin
Version 1.1
Published: 08/05/2020
This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices..
Please reach out to [email protected] for any questions related to this bulletin.
Table of Contents
| Announcements: |
| Acknowledgements: |
| Proprietary Software Issues: |
| Open Source Software Issues: |
| Industry Coordination: |
| Version History: |
Announcements
None
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2020-11116, CVE-2020-11115, CVE-2020-11118 | aedla |
| CVE-2020-11117 | Claudio Bozzato of Cisco Talos |
| CVE-2020-3702 | Štefan Svorenčík, Robert Lipovský, Miloš Čermák from ESET |
| CVE-2019-14074 | Arash Tohidi (h4ul4) |
| CVE-2020-11128 | Max Thomas |
| CVE-2020-3646, CVE-2020-3647 | Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
| CVE-2020-3648 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin. |
| CVE-2020-11158 | Reported by an external researcher to HP, who reported it to us. |
Proprietary Software Issues
The tables below summarize security vulnerabilities that were addressed through proprietary software
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2019-10562 | Critical | QTEE | Internal |
| CVE-2019-10628 | Critical | KERNEL | Internal |
| CVE-2019-10629 | Critical | KERNEL | Internal |
| CVE-2019-13994 | Critical | Qualcomm IPC | Internal |
| CVE-2019-13998 | Critical | Automotive OS Platform GHS | Internal |
| CVE-2020-11117 | Critical | WIN SON | 05/04/2020 |
| CVE-2020-3619 | Critical | Graphics | Internal |
| CVE-2020-3621 | Critical | Qualcomm IPC | Internal |
| CVE-2020-3667 | Critical | WLAN Firmware | Internal |
| CVE-2020-3702 | Critical | WLAN | 03/03/2020 |
| CVE-2018-13903 | High | Multi-Mode Call Processor | Internal |
| CVE-2019-10527 | High | Qualcomm IPC | Internal |
| CVE-2019-10596 | High | KERNEL | Internal |
| CVE-2019-10615 | High | HLOS | Internal |
| CVE-2019-13992 | High | KERNEL | Internal |
| CVE-2019-13995 | High | Qualcomm IPC | Internal |
| CVE-2019-13999 | High | Qualcomm IPC | Internal |
| CVE-2019-14025 | High | Content Protection | Internal |
| CVE-2019-14052 | High | Data Modem | Internal |
| CVE-2019-14056 | High | Technologies | Internal |
| CVE-2019-14065 | High | Technologies | Internal |
| CVE-2019-14074 | High | Core Services | 08/05/2019 |
| CVE-2019-14089 | High | HLOS | Internal |
| CVE-2019-14115 | High | Content Protection | Internal |
| CVE-2019-14119 | High | QTEE | Internal |
| CVE-2020-11122 | High | Video | Internal |
| CVE-2020-11128 | High | Core Services | 02/24/2020 |
| CVE-2020-11133 | High | WLAN HAL | Internal |
| CVE-2020-3611 | High | QTEE | Internal |
| CVE-2020-3620 | High | Qualcomm IPC | Internal |
| CVE-2020-3622 | High | Qualcomm IPC | Internal |
| CVE-2020-3624 | High | Storage | Internal |
| CVE-2020-3629 | High | DSP Service | Internal |
| CVE-2020-3636 | High | Content Protection | Internal |
| CVE-2020-3640 | High | Content Protection | Internal |
| CVE-2020-3643 | High | Content Protection | Internal |
| CVE-2020-3644 | High | Content Protection | Internal |
| CVE-2020-3666 | High | WLAN Firmware | Internal |
| CVE-2020-3668 | High | WLAN Firmware | Internal |
| CVE-2020-3669 | High | WLAN Firmware | Internal |
| CVE-2020-3675 | High | WLAN Firmware | Internal |
| CVE-2020-11158 | High | PDF Parser | 4/28/2020 |
CVE-2019-10562
| CVE ID | CVE-2019-10562 |
| Title | Improper Authentication Issue in QTEE |
| Description | Improper authentication and signature verification of debug polices in secure boot loader will allow unverified debug policies to be loaded into secure memory and leads to memory corruption |
| Technology Area | QTEE |
| Vulnerability Type | CWE-287 Improper Authentication |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | IPQ6018, Kamorta, MSM8998, Nicobar, QCS404, QCS605, QCS610, Rennell, SA415M, SA6155P, SC7180, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-10628
| CVE ID | CVE-2019-10628 |
| Title | Improper Validation of Array Index in Kernel |
| Description | Memory can be potentially corrupted if random index is allowed to manipulate TLB entries in Kernel from user library |
| Technology Area | KERNEL |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8098, Bitra, MDM9205, MDM9650, MSM8998, Nicobar, QCA6390, QCN7605, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-10629
| CVE ID | CVE-2019-10629 |
| Title | Improper Validation of Array Index in kernel |
| Description | User Process can potentially corrupt kernel virtual page by passing a crafted page in API |
| Technology Area | KERNEL |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | Bitra, IPQ6018, IPQ8074, MDM9205, Nicobar, QCA8081, QCN7605, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-13994
| CVE ID | CVE-2019-13994 |
| Title | Integer Overflow or Wraparound Issue in Trustzone |
| Description | Lack of check that the current received data fragment size of a particular packet that are read from shared memory are less than the actual packet size can lead to memory corruption and potential information leakage |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-13998
| CVE ID | CVE-2019-13998 |
| Title | Integer Overflow or Wraparound Issue in Qualcomm IPC |
| Description | Lack of check that the TX FIFO write and read indices that are read from shared RAM are less than the FIFO size results into memory corruption and potential information leakage |
| Technology Area | Automotive OS Platform GHS |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-11117
| CVE ID | CVE-2020-11117 |
| Title | Command Injection Vulnerability in lbd service |
| Description | In the lbd service, an external user can issue a specially crafted debug command to overwrite arbitrary files with arbitrary content resulting in remote code execution. |
| Technology Area | WIN SON |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | 05/04/2020 |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | IPQ4019, IPQ6018, IPQ8064, IPQ8074, QCA4531, QCA9531, QCA9980 |
CVE-2020-3619
| CVE ID | CVE-2020-3619 |
| Title | Time-of-check Time-of-use Race Condition in Graphics |
| Description | Non-secure memory is touched multiple times during TrustZone’s execution and can lead to privilege escalation or memory corruption |
| Technology Area | Graphics |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8098, IPQ8074, Kamorta, MDM9150, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, QCA8081, QCS404, QCS605, QCS610, QM215, Rennell, SA415M, SC7180, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150, SXR1130 |
CVE-2020-3621
| CVE ID | CVE-2020-3621 |
| Title | Improper Validation of Array Index in Qualcomm IPC |
| Description | Lack of check to ensure that the TX read index & RX write index that are read from shared memory are less than the FIFO size results into memory corruption and potential information leakage |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-3667
| CVE ID | CVE-2020-3667 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Buffer Overflow in mic calculation for WPA due to copying data into buffer without validating the length of buffer |
| Technology Area | WLAN Firmware |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 03/02/2020 |
| Affected Chipsets* | APQ8098, IPQ5018, IPQ6018, IPQ8074, Kamorta, MSM8998, Nicobar, QCA6390, QCA8081, QCS404, QCS405, QCS605, Rennell, SA415M, Saipan, SC7180, SC8180X, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130 |
CVE-2020-3702
| CVE ID | CVE-2020-3702 |
| Title | Cryptographic Issues in WIFI driver(Krook) |
| Description | Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic |
| Technology Area | WLAN |
| Vulnerability Type | CWE-310 Cryptographic Issues |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | 03/03/2020 |
| Customer Notified Date | 05/13/2020 |
| Affected Chipsets* | QCN550x,QCA9531,QCA955x,QCA956x,AR938x,AR958x,AR934x,AR9331,AR9287,QCA4531,QCA9565,QCA9462,QCA9485 |
CVE-2018-13903
| CVE ID | CVE-2018-13903 |
| Title | Null Pointer Dereference in Modem |
| Description | Error in UE due to race condition in EPCO handling |
| Technology Area | Multi-Mode Call Processor |
| Vulnerability Type | CWE-476 NULL Pointer Dereference |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 12/02/2019 |
| Affected Chipsets* | APQ8053, MDM9205, MDM9206, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, SDM450, SM8150 |
CVE-2019-10527
| CVE ID | CVE-2019-10527 |
| Title | Improper Validation of Array Index in Mproc |
| Description | SMEM partition can be manipulated in case of any compromise on HLOS, thus resulting in access to memory outside of SMEM address range which could lead to memory corruption |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6574AU, QCA8081, QCM2150, QCN7605, QCN7606, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-10596
| CVE ID | CVE-2019-10596 |
| Title | Improper Access Control Issue in KERNEL |
| Description | Improper access control can lead signed process to guess pid of other processes and access their address space |
| Technology Area | KERNEL |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | Bitra, Nicobar, QCS605, QCS610, Rennell, SA6155P, Saipan, SC7180, SC8180X, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-10615
| CVE ID | CVE-2019-10615 |
| Title | Integer Overflow to Buffer Overflow in Trusted Application |
| Description | Possibility of integer overflow in keymaster 4 while allocating memory due to multiplication of large numcerts value and size of keymaster bob which can lead to memory corruption |
| Technology Area | HLOS |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-13992
| CVE ID | CVE-2019-13992 |
| Title | Buffer Copy Without Checking Size of Input in kernel |
| Description | Out of bound memory access if stack push and pop operation are performed without doing a bound check on stack top |
| Technology Area | KERNEL |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | Bitra, IPQ6018, IPQ8074, MDM9205, Nicobar, QCA8081, QCN7605, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-13995
| CVE ID | CVE-2019-13995 |
| Title | Integer Overflow or Wraparound Issue in Trustzone |
| Description | Lack of integer overflow check for addition of fragment size and remaining size that are read from shared memory can lead to memory corruption and potential information leakage |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-13999
| CVE ID | CVE-2019-13999 |
| Title | Integer Overflow or Wraparound in Qualcomm IPC |
| Description | Lack of check for integer overflow for round up and addition operations result into memory corruption and potential information leakage |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-14025
| CVE ID | CVE-2019-14025 |
| Title | Untrusted Pointer Dereference Issue in Content Protection |
| Description | When a new session is created, Object is returned that contains TZ addresses and it get passed to HLOS as an handle to refer to a particular session and can cause TZ to jump to a invalid address |
| Technology Area | Content Protection |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 12/02/2019 |
| Affected Chipsets* | Kamorta, QCS404, QCS610, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130 |
CVE-2019-14052
| CVE ID | CVE-2019-14052 |
| Title | Use of Initialized Data in MODEM |
| Description | Accessing an uninitialized data structure could result in partially copying of contents and thus incorrect processing |
| Technology Area | Data Modem |
| Vulnerability Type | CWE-457 Use of Uninitialized Variable |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QCS610, QM215, SA415M, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130 |
CVE-2019-14056
| CVE ID | CVE-2019-14056 |
| Title | Integer Overflow or Wraparound Issue in TrustZone |
| Description | Possible integer overflow in API due to lack of check on large oid range count in cert extension field |
| Technology Area | Technologies |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | Kamorta, MDM9150, MDM9205, MDM9607, MDM9650, Nicobar, QCS404, QCS405, QCS605, QCS610, Rennell, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE-2019-14065
| CVE ID | CVE-2019-14065 |
| Title | Double Free Issue in TrustZone |
| Description | Pointer double free in HavenSvc due to not setting the pointer to NULL after freeing it |
| Technology Area | Technologies |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8009, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8998, Nicobar, QCS404, QCS405, QCS605, QCS610, Rennell, SA515M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-14074
| CVE ID | CVE-2019-14074 |
| Title | Integer Overflow or Wraparound Issue in Diag Services |
| Description | Heap overflow in diag command handler due to lack of check of packet length received from user |
| Technology Area | Core Services |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 08/05/2019 |
| Customer Notified Date | 12/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8076, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-14089
| CVE ID | CVE-2019-14089 |
| Title | Key Management Errors in HLOS |
| Description | Keymaster attestation key and device IDs provisioning which is a one time process is incorrectly allowed to be re-provisioned after a user data erase or a factory reset |
| Technology Area | HLOS |
| Vulnerability Type | CWE-320 Key Management Errors |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | Kamorta, Nicobar, QCS404, QCS610, Rennell, SA515M, SA6155P, SC7180, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
CVE-2019-14115
| CVE ID | CVE-2019-14115 |
| Title | Information Exposure in Content Protection |
| Description | Information disclosure issue occurs as in current logic as secure touch is released without clearing the display session which can result in user reading the secure input while touch is in non-secure domain as secure display is active |
| Technology Area | Content Protection |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8076, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-14119
| CVE ID | CVE-2019-14119 |
| Title | Time of Check Time of Use Race Condition in QTEE |
| Description | While processing SMCInvoke asynchronous message header, message count is modified leading to a TOCTOU race condition and lead to memory corruption |
| Technology Area | QTEE |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | IPQ6018, Kamorta, MDM9205, MDM9607, Nicobar, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDM670, SDM710, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-11122
| CVE ID | CVE-2020-11122 |
| Title | Untrusted Pointer Dereference Issue in Video |
| Description | Null Pointer exception while playing crafted mkv file as data stream get deleted on secondary invalid configuration |
| Technology Area | Video |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | APQ8098, Bitra, Kamorta, SA6155P, Saipan, SM6150, SM7150, SM8150, SM8250, SXR2130 |
CVE-2020-11128
| CVE ID | CVE-2020-11128 |
| Title | Improper Validation of Array Index in Diag Services |
| Description | Possible out of bound access while copying the mask file content into the buffer without checking the buffer size |
| Technology Area | Core Services |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 02/24/2020 |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | APQ8009, APQ8096AU, APQ8098, Bitra, Kamorta, MDM9150, MDM9607, MDM9650, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, QCM2150, QCS405, QCS605, QCS610, QM215, Rennell, SA515M, SA6155P, Saipan, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM660, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-11133
| CVE ID | CVE-2020-11133 |
| Title | Stack-based Buffer Overflow in WLAN |
| Description | Possible out of bound array write in rxdco cal utility due to lack of array bound check |
| Technology Area | WLAN HAL |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 06/01/2020 |
| Affected Chipsets* | MSM8998, QCS605, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SXR1130 |
CVE-2020-3611
| CVE ID | CVE-2020-3611 |
| Title | Improper Access Control Issue in Core |
| Description | XBL SEC clears only ZI region when loading Qualcomm-signed segments can lead to improper access issue |
| Technology Area | QTEE |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8098, Kamorta, MSM8998, QCS404, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SXR1130 |
CVE-2020-3620
| CVE ID | CVE-2020-3620 |
| Title | Integer Overflow or Wraparound in Qualcomm IPC |
| Description | Lack of check of integer overflow while doing a round up operation for data read from shared memory for G-link SMEM transport can lead to corruption and potential information leak |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-3622
| CVE ID | CVE-2020-3622 |
| Title | Improper Input Validation issue in Qualcomm IPC |
| Description | Channel name string which has been read from shared memory is potentially subjected to string manipulations but not validated for NULL termination can results into memory corruption |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-3624
| CVE ID | CVE-2020-3624 |
| Title | Integer Overflow or Wraparound Issue in Storage |
| Description | A potential buffer overflow exists due to integer overflow when parsing handler options due to wrong data type usage in operation |
| Technology Area | Storage |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCN7605, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE-2020-3629
| CVE ID | CVE-2020-3629 |
| Title | Buffer Copy Without Checking Size of input in DSP Services |
| Description | Stack out of bound issue occurs when making query to DSP capabilities due to wrong assumption was made on determining the buffer size for the DSP attributes |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | Bitra, Kamorta, Rennell, SC7180, SDM845, SM6150, SM7150, SM8150, SM8250, SXR2130 |
CVE-2020-3636
| CVE ID | CVE-2020-3636 |
| Title | Usage of Out-of-range Pointer Offset in Content Protection |
| Description | Out of bound writes happen when accessing usage_table header entry beyond the memory allocated for the header |
| Technology Area | Content Protection |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | Kamorta, QCS404, QCS610, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130 |
CVE-2020-3640
| CVE ID | CVE-2020-3640 |
| Title | Incorrect Calculation of Buffer Size in Content Protection |
| Description | Resizing the usage table header before passing all the checks leads to the function exiting with a usage table in invalid state when a HLOS adversary calls the function with wrong input |
| Technology Area | Content Protection |
| Vulnerability Type | CWE-131 Incorrect Calculation of Buffer Size |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | Bitra, Kamorta, QCS404, QCS610, Rennell, Saipan, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130 |
CVE-2020-3643
| CVE ID | CVE-2020-3643 |
| Title | Information Exposure in Content Protection |
| Description | Information disclosure issue can occur due to partial secure display-touch session tear-down |
| Technology Area | Content Protection |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8076, APQ8096AU, APQ8098, IPQ6018, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-3644
| CVE ID | CVE-2020-3644 |
| Title | Information Exposure in Content Protection |
| Description | Information disclosure issue occurs as in current logic Secure Touch session is released without terminating display session |
| Technology Area | Content Protection |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8009, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-3666
| CVE ID | CVE-2020-3666 |
| Title | Stack Based Buffer overflow in WLAN |
| Description | Out of bounds memory access during memory copy while processing Host command |
| Technology Area | WLAN Firmware |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 03/02/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, QCA6174A, QCA6574, QCA6574AU, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9531, QCA9558, QCA9563, QCA9880, QCA9886, QCA9980, QCN5500, QCN5502, QCS404, QCS405, QCS605, SA6155P, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SXR1130 |
CVE-2020-3668
| CVE ID | CVE-2020-3668 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Buffer overflow while parsing PMF enabled MCBC frames due to frame length being lesser than what is expected while parsing |
| Technology Area | WLAN Firmware |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 03/02/2020 |
| Affected Chipsets* | IPQ6018, IPQ8074, Kamorta, Nicobar, QCA6390, QCA8081, QCN7605, QCS404, QCS405, QCS605, Rennell, SA415M, SC7180, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130 |
CVE-2020-3669
| CVE ID | CVE-2020-3669 |
| Title | Use of Out of Range Pointer Offset in WLAN |
| Description | Buffer Overflow issue in WLAN tcp ip verification due to usage of out of range pointer offset |
| Technology Area | WLAN Firmware |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 03/02/2020 |
| Affected Chipsets* | APQ8098, IPQ5018, IPQ6018, IPQ8074, Kamorta, MSM8998, Nicobar, QCA6390, QCA8081, QCN7605, QCS404, QCS405, QCS605, Rennell, SA415M, SC7180, SC8180X, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130 |
CVE-2020-3675
| CVE ID | CVE-2020-3675 |
| Title | Buffer Over-read Issue in WLAN |
| Description | Potential integer underflow while parsing Service Info and IPv6 link-local TLVs that comes as part of NDPE attribute |
| Technology Area | WLAN Firmware |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 03/02/2020 |
| Affected Chipsets* | IPQ5018, IPQ6018, IPQ8074, Kamorta, Nicobar, QCA6390, QCN7605, QCS404, QCS405, Rennell, SA415M, Saipan, SC7180, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250 |
CVE-2020-11158
| CVE ID | CVE-2020-11158 |
| Title | NULL Pointer Dereference in PDF-Compatible Interpreter |
| Description | Null pointer dereference in HP OfficeJet Pro 8210 jbig2 filter due to lack of check of PDF font array leads to denial of service |
| Technology Area | PDF Parser |
| Vulnerability Type | CWE-476 NULL Pointer Dereference |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 4/28/2020 |
| Customer Notified Date | 6/10/2020 |
| Affected Chipsets* | IPS PDF releases prior to IPS System 2020. |
* Data is generated only at the time of bulletin creation
Open Source Software Issues
The tables below summarize security vulnerabilities that were addressed through open source software
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2020-11116 | Critical | WLAN HOST | 11/17/2019 |
| CVE-2019-10527 | High | Qualcomm IPC | Internal |
| CVE-2019-14117 | High | Data Network Stack & Connectivity | Internal |
| CVE-2020-11115 | High | WLAN HOST | 11/24/2019 |
| CVE-2020-11118 | High | WLAN HOST | 11/24/2019 |
| CVE-2020-11120 | High | WLAN HOST | Internal |
This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2020-3646 | Medium | Display | 09/24/2019 |
| CVE-2020-3647 | Medium | NPU | 08/25/2019 |
| CVE-2020-3648 | Medium | DSP Service | 10/10/2018 |
CVE-2020-11116
| CVE ID | CVE-2020-11116 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Possible out of bound write while processing association response received from host due to lack of check of IE length |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | 11/17/2019 |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, APQ8098, Bitra, Kamorta, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS405, QCS605, QCS610, QM215, SA6155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
|
CVE-2019-10527
| CVE ID | CVE-2019-10527 |
| Title | Improper Validation of Array Index in Mproc |
| Description | SMEM partition can be manipulated in case of any compromise on HLOS, thus resulting in access to memory outside of SMEM address range which could lead to memory corruption |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6574AU, QCA8081, QCM2150, QCN7605, QCN7606, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
|
CVE-2019-14117
| CVE ID | CVE-2019-14117 |
| Title | Use After Free Issue in WLAN |
| Description | Whenever the page list is updated via privileged user, the previous list elements are freed but are not deleted from the list which results in a use after free causing an unhandled page fault exception in rmnet driver |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | Bitra, MDM9607, QCS405, Saipan, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
CVE-2020-11115
| CVE ID | CVE-2020-11115 |
| Title | Information Exposure Issue in WLAN |
| Description | Buffer over read occurs while processing information element from beacon due to lack of check of data received from beacon |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 11/24/2019 |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, APQ8098, Bitra, Kamorta, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS405, QCS605, QM215, Rennell, SA415M, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM660, SDM845, SDX20, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
|
CVE-2020-11118
| CVE ID | CVE-2020-11118 |
| Title | Information Exposure Issues in WLAN |
| Description | Information exposure issues while processing IE header due to improper check of beacon IE frame |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 11/24/2019 |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, Kamorta, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, Nicobar, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS405, QCS605, QCS610, QM215, Rennell, Saipan, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
|
CVE-2020-11120
| CVE ID | CVE-2020-11120 |
| Title | Use After Free Issue in WLAN |
| Description | Calling thread may free the data buffer pointer that was passed to the callback and later when event loop executes the callback, data buffer may not be valid and will lead to use after free scenario |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | APQ8096AU, APQ8098, Bitra, Kamorta, MSM8917, MSM8953, MSM8998, QCM2150, QCS405, QCS605, QM215, Rennell, Saipan, SDM429, SDM439, SDM450, SDM632, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
CVE-2020-3646
| CVE ID | CVE-2020-3646 |
| Title | Buffer Copy Without Checking Size of Input in Video |
| Description | Buffer overflow seen as the destination buffer size is lesser than the source buffer size in video application |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 09/24/2019 |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | Bitra, MSM8909W, QCM2150, QCS405, QCS605, Saipan, SC8180X, SDA845, SDM429W, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
CVE-2020-3647
| CVE ID | CVE-2020-3647 |
| Title | Stack Based Overflow in Neural Processing Unit |
| Description | Potential buffer overflow when accessing npu debugfs node "off"/"log" with large buffer size |
| Technology Area | NPU |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 08/25/2019 |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | MDM9607, QCS405, SC8180X, SDX55, SM6150, SM7150, SM8150 |
| Patch* |
CVE-2020-3648
| CVE ID | CVE-2020-3648 |
| Title | Use of Out-of-range Pointer offset in DSP Services |
| Description | Possible out of bound write in DSP driver code due to lack of check of data received from user |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 10/10/2018 |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | MSM8909W |
| Patch* |
|
* Data is generated only at the time of bulletin creation
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | August 3, 2020 | Bulletin Published |
| 1.1 | August 5, 2020 | Added CVE-2020-11158 |
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.
- Table of Contents
- Announcements
- Acknowledgements
- Proprietary Software Issues
- CVE-2019-10562
- CVE-2019-10628
- CVE-2019-10629
- CVE-2019-13994
- CVE-2019-13998
- CVE-2020-11117
- CVE-2020-3619
- CVE-2020-3621
- CVE-2020-3667
- CVE-2020-3702
- CVE-2018-13903
- CVE-2019-10527
- CVE-2019-10596
- CVE-2019-10615
- CVE-2019-13992
- CVE-2019-13995
- CVE-2019-13999
- CVE-2019-14025
- CVE-2019-14052
- CVE-2019-14056
- CVE-2019-14065
- CVE-2019-14074
- CVE-2019-14089
- CVE-2019-14115
- CVE-2019-14119
- CVE-2020-11122
- CVE-2020-11128
- CVE-2020-11133
- CVE-2020-3611
- CVE-2020-3620
- CVE-2020-3622
- CVE-2020-3624
- CVE-2020-3629
- CVE-2020-3636
- CVE-2020-3640
- CVE-2020-3643
- CVE-2020-3644
- CVE-2020-3666
- CVE-2020-3668
- CVE-2020-3669
- CVE-2020-3675
- CVE-2020-11158
- Open Source Software Issues
- CVE-2020-11116
- CVE-2019-10527
- CVE-2019-14117
- CVE-2020-11115
- CVE-2020-11118
- CVE-2020-11120
- CVE-2020-3646
- CVE-2020-3647
- CVE-2020-3648
- Industry Coordination
- Version History
