August 2020 Security Bulletin

Version 1.1

Published: 08/05/2020

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices..

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Table of Contents

Announcements:
Acknowledgements:
Proprietary Software Issues:
Open Source Software Issues:
Industry Coordination:
Version History:

Announcements

None

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.  

CVE-2020-11116, CVE-2020-11115, CVE-2020-11118 aedla
CVE-2020-11117 Claudio Bozzato of Cisco Talos
CVE-2020-3702 Štefan Svorenčík, Robert Lipovský, Miloš Čermák from ESET
CVE-2019-14074 Arash Tohidi (h4ul4)
CVE-2020-11128 Max Thomas
CVE-2020-3646, CVE-2020-3647 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2020-3648 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2020-11158 Reported by an external researcher to HP, who reported it to us.

Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.  

Public ID Security Rating Technology Area Date Reported
CVE-2019-10562 Critical QTEE Internal
CVE-2019-10628 Critical KERNEL Internal
CVE-2019-10629 Critical KERNEL Internal
CVE-2019-13994 Critical Qualcomm IPC Internal
CVE-2019-13998 Critical Automotive OS Platform GHS Internal
CVE-2020-11117 Critical WIN SON 05/04/2020
CVE-2020-3619 Critical Graphics Internal
CVE-2020-3621 Critical Qualcomm IPC Internal
CVE-2020-3667 Critical WLAN Firmware Internal
CVE-2020-3702 Critical WLAN 03/03/2020
CVE-2018-13903 High Multi-Mode Call Processor Internal
CVE-2019-10527 High Qualcomm IPC Internal
CVE-2019-10596 High KERNEL Internal
CVE-2019-10615 High HLOS Internal
CVE-2019-13992 High KERNEL Internal
CVE-2019-13995 High Qualcomm IPC Internal
CVE-2019-13999 High Qualcomm IPC Internal
CVE-2019-14025 High Content Protection Internal
CVE-2019-14052 High Data Modem Internal
CVE-2019-14056 High Technologies Internal
CVE-2019-14065 High Technologies Internal
CVE-2019-14074 High Core Services 08/05/2019
CVE-2019-14089 High HLOS Internal
CVE-2019-14115 High Content Protection Internal
CVE-2019-14119 High QTEE Internal
CVE-2020-11122 High Video Internal
CVE-2020-11128 High Core Services 02/24/2020
CVE-2020-11133 High WLAN HAL Internal
CVE-2020-3611 High QTEE Internal
CVE-2020-3620 High Qualcomm IPC Internal
CVE-2020-3622 High Qualcomm IPC Internal
CVE-2020-3624 High Storage Internal
CVE-2020-3629 High DSP Service Internal
CVE-2020-3636 High Content Protection Internal
CVE-2020-3640 High Content Protection Internal
CVE-2020-3643 High Content Protection Internal
CVE-2020-3644 High Content Protection Internal
CVE-2020-3666 High WLAN Firmware Internal
CVE-2020-3668 High WLAN Firmware Internal
CVE-2020-3669 High WLAN Firmware Internal
CVE-2020-3675 High WLAN Firmware Internal
CVE-2020-11158 High PDF Parser 4/28/2020

CVE-2019-10562

CVE ID CVE-2019-10562
Title Improper Authentication Issue in QTEE
Description Improper authentication and signature verification of debug polices in secure boot loader will allow unverified debug policies to be loaded into secure memory and leads to memory corruption
Technology Area QTEE
Vulnerability Type CWE-287 Improper Authentication
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* IPQ6018, Kamorta, MSM8998, Nicobar, QCS404, QCS605, QCS610, Rennell, SA415M, SA6155P, SC7180, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10628

CVE ID CVE-2019-10628
Title Improper Validation of Array Index in Kernel
Description Memory can be potentially corrupted if random index is allowed to manipulate TLB entries in Kernel from user library
Technology Area KERNEL
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8098, Bitra, MDM9205, MDM9650, MSM8998, Nicobar, QCA6390, QCN7605, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10629

CVE ID CVE-2019-10629
Title Improper Validation of Array Index in kernel
Description User Process can potentially corrupt kernel virtual page by passing a crafted page in API
Technology Area KERNEL
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* Bitra, IPQ6018, IPQ8074, MDM9205, Nicobar, QCA8081, QCN7605, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-13994

CVE ID CVE-2019-13994
Title Integer Overflow or Wraparound Issue in Trustzone
Description Lack of check that the current received data fragment size of a particular packet that are read from shared memory are less than the actual packet size can lead to memory corruption and potential information leakage
Technology Area Qualcomm IPC
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-13998

CVE ID CVE-2019-13998
Title Integer Overflow or Wraparound Issue in Qualcomm IPC
Description Lack of check that the TX FIFO write and read indices that are read from shared RAM are less than the FIFO size results into memory corruption and potential information leakage
Technology Area Automotive OS Platform GHS
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-11117

CVE ID CVE-2020-11117
Title Command Injection Vulnerability in lbd service
Description In the lbd service, an external user can issue a specially crafted debug command to overwrite arbitrary files with arbitrary content resulting in remote code execution.
Technology Area WIN SON
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Remote
Security Rating Critical
Date Reported 05/04/2020
Customer Notified Date 07/06/2020
Affected Chipsets* IPQ4019, IPQ6018, IPQ8064, IPQ8074, QCA4531, QCA9531, QCA9980

CVE-2020-3619

CVE ID CVE-2020-3619
Title Time-of-check Time-of-use Race Condition in Graphics
Description Non-secure memory is touched multiple times during TrustZone’s execution and can lead to privilege escalation or memory corruption
Technology Area Graphics
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8098, IPQ8074, Kamorta, MDM9150, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, QCA8081, QCS404, QCS605, QCS610, QM215, Rennell, SA415M, SC7180, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150, SXR1130

CVE-2020-3621

CVE ID CVE-2020-3621
Title Improper Validation of Array Index in Qualcomm IPC
Description Lack of check to ensure that the TX read index & RX write index that are read from shared memory are less than the FIFO size results into memory corruption and potential information leakage
Technology Area Qualcomm IPC
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3667

CVE ID CVE-2020-3667
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer Overflow in mic calculation for WPA due to copying data into buffer without validating the length of buffer
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8098, IPQ5018, IPQ6018, IPQ8074, Kamorta, MSM8998, Nicobar, QCA6390, QCA8081, QCS404, QCS405, QCS605, Rennell, SA415M, Saipan, SC7180, SC8180X, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130

CVE-2020-3702

CVE ID CVE-2020-3702
Title Cryptographic Issues in WIFI driver(Krook)
Description Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic
Technology Area WLAN
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector Remote
Security Rating Critical
Date Reported 03/03/2020
Customer Notified Date 05/13/2020
Affected Chipsets* QCN550x,QCA9531,QCA955x,QCA956x,AR938x,AR958x,AR934x,AR9331,AR9287,QCA4531,QCA9565,QCA9462,QCA9485

CVE-2018-13903

CVE ID CVE-2018-13903
Title Null Pointer Dereference in Modem
Description Error in UE due to race condition in EPCO handling
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8053, MDM9205, MDM9206, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, SDM450, SM8150

CVE-2019-10527

CVE ID CVE-2019-10527
Title Improper Validation of Array Index in Mproc
Description SMEM partition can be manipulated in case of any compromise on HLOS, thus resulting in access to memory outside of SMEM address range which could lead to memory corruption
Technology Area Qualcomm IPC
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6574AU, QCA8081, QCM2150, QCN7605, QCN7606, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10596

CVE ID CVE-2019-10596
Title Improper Access Control Issue in KERNEL
Description Improper access control can lead signed process to guess pid of other processes and access their address space
Technology Area KERNEL
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* Bitra, Nicobar, QCS605, QCS610, Rennell, SA6155P, Saipan, SC7180, SC8180X, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10615

CVE ID CVE-2019-10615
Title Integer Overflow to Buffer Overflow in Trusted Application
Description Possibility of integer overflow in keymaster 4 while allocating memory due to multiplication of large numcerts value and size of keymaster bob which can lead to memory corruption
Technology Area HLOS
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-13992

CVE ID CVE-2019-13992
Title Buffer Copy Without Checking Size of Input in kernel
Description Out of bound memory access if stack push and pop operation are performed without doing a bound check on stack top
Technology Area KERNEL
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* Bitra, IPQ6018, IPQ8074, MDM9205, Nicobar, QCA8081, QCN7605, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-13995

CVE ID CVE-2019-13995
Title Integer Overflow or Wraparound Issue in Trustzone
Description Lack of integer overflow check for addition of fragment size and remaining size that are read from shared memory can lead to memory corruption and potential information leakage
Technology Area Qualcomm IPC
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-13999

CVE ID CVE-2019-13999
Title Integer Overflow or Wraparound in Qualcomm IPC
Description Lack of check for integer overflow for round up and addition operations result into memory corruption and potential information leakage
Technology Area Qualcomm IPC
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14025

CVE ID CVE-2019-14025
Title Untrusted Pointer Dereference Issue in Content Protection
Description When a new session is created, Object is returned that contains TZ addresses and it get passed to HLOS as an handle to refer to a particular session and can cause TZ to jump to a invalid address
Technology Area Content Protection
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* Kamorta, QCS404, QCS610, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130

CVE-2019-14052

CVE ID CVE-2019-14052
Title Use of Initialized Data in MODEM
Description Accessing an uninitialized data structure could result in partially copying of contents and thus incorrect processing
Technology Area Data Modem
Vulnerability Type CWE-457 Use of Uninitialized Variable
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QCS610, QM215, SA415M, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14056

CVE ID CVE-2019-14056
Title Integer Overflow or Wraparound Issue in TrustZone
Description Possible integer overflow in API due to lack of check on large oid range count in cert extension field
Technology Area Technologies
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* Kamorta, MDM9150, MDM9205, MDM9607, MDM9650, Nicobar, QCS404, QCS405, QCS605, QCS610, Rennell, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14065

CVE ID CVE-2019-14065
Title Double Free Issue in TrustZone
Description Pointer double free in HavenSvc due to not setting the pointer to NULL after freeing it
Technology Area Technologies
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8998, Nicobar, QCS404, QCS405, QCS605, QCS610, Rennell, SA515M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14074

CVE ID CVE-2019-14074
Title Integer Overflow or Wraparound Issue in Diag Services
Description Heap overflow in diag command handler due to lack of check of packet length received from user
Technology Area Core Services
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 08/05/2019
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8076, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14089

CVE ID CVE-2019-14089
Title Key Management Errors in HLOS
Description Keymaster attestation key and device IDs provisioning which is a one time process is incorrectly allowed to be re-provisioned after a user data erase or a factory reset
Technology Area HLOS
Vulnerability Type CWE-320 Key Management Errors
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* Kamorta, Nicobar, QCS404, QCS610, Rennell, SA515M, SA6155P, SC7180, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2019-14115

CVE ID CVE-2019-14115
Title Information Exposure in Content Protection
Description Information disclosure issue occurs as in current logic as secure touch is released without clearing the display session which can result in user reading the secure input while touch is in non-secure domain as secure display is active
Technology Area Content Protection
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8076, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14119

CVE ID CVE-2019-14119
Title Time of Check Time of Use Race Condition in QTEE
Description While processing SMCInvoke asynchronous message header, message count is modified leading to a TOCTOU race condition and lead to memory corruption
Technology Area QTEE
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* IPQ6018, Kamorta, MDM9205, MDM9607, Nicobar, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDM670, SDM710, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-11122

CVE ID CVE-2020-11122
Title Untrusted Pointer Dereference Issue in Video
Description Null Pointer exception while playing crafted mkv file as data stream get deleted on secondary invalid configuration
Technology Area Video
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 05/04/2020
Affected Chipsets* APQ8098, Bitra, Kamorta, SA6155P, Saipan, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2020-11128

CVE ID CVE-2020-11128
Title Improper Validation of Array Index in Diag Services
Description Possible out of bound access while copying the mask file content into the buffer without checking the buffer size
Technology Area Core Services
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 02/24/2020
Customer Notified Date 05/04/2020
Affected Chipsets* APQ8009, APQ8096AU, APQ8098, Bitra, Kamorta, MDM9150, MDM9607, MDM9650, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, QCM2150, QCS405, QCS605, QCS610, QM215, Rennell, SA515M, SA6155P, Saipan, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM660, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-11133

CVE ID CVE-2020-11133
Title Stack-based Buffer Overflow in WLAN
Description Possible out of bound array write in rxdco cal utility due to lack of array bound check
Technology Area WLAN HAL
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 06/01/2020
Affected Chipsets* MSM8998, QCS605, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SXR1130

CVE-2020-3611

CVE ID CVE-2020-3611
Title Improper Access Control Issue in Core
Description XBL SEC clears only ZI region when loading Qualcomm-signed segments can lead to improper access issue
Technology Area QTEE
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8098, Kamorta, MSM8998, QCS404, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SXR1130

CVE-2020-3620

CVE ID CVE-2020-3620
Title Integer Overflow or Wraparound in Qualcomm IPC
Description Lack of check of integer overflow while doing a round up operation for data read from shared memory for G-link SMEM transport can lead to corruption and potential information leak
Technology Area Qualcomm IPC
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3622

CVE ID CVE-2020-3622
Title Improper Input Validation issue in Qualcomm IPC
Description Channel name string which has been read from shared memory is potentially subjected to string manipulations but not validated for NULL termination can results into memory corruption
Technology Area Qualcomm IPC
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3624

CVE ID CVE-2020-3624
Title Integer Overflow or Wraparound Issue in Storage
Description A potential buffer overflow exists due to integer overflow when parsing handler options due to wrong data type usage in operation
Technology Area Storage
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCN7605, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2020-3629

CVE ID CVE-2020-3629
Title Buffer Copy Without Checking Size of input in DSP Services
Description Stack out of bound issue occurs when making query to DSP capabilities due to wrong assumption was made on determining the buffer size for the DSP attributes
Technology Area DSP Service
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* Bitra, Kamorta, Rennell, SC7180, SDM845, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2020-3636

CVE ID CVE-2020-3636
Title Usage of Out-of-range Pointer Offset in Content Protection
Description Out of bound writes happen when accessing usage_table header entry beyond the memory allocated for the header
Technology Area Content Protection
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* Kamorta, QCS404, QCS610, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130

CVE-2020-3640

CVE ID CVE-2020-3640
Title Incorrect Calculation of Buffer Size in Content Protection
Description Resizing the usage table header before passing all the checks leads to the function exiting with a usage table in invalid state when a HLOS adversary calls the function with wrong input
Technology Area Content Protection
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* Bitra, Kamorta, QCS404, QCS610, Rennell, Saipan, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130

CVE-2020-3643

CVE ID CVE-2020-3643
Title Information Exposure in Content Protection
Description Information disclosure issue can occur due to partial secure display-touch session tear-down
Technology Area Content Protection
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8076, APQ8096AU, APQ8098, IPQ6018, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3644

CVE ID CVE-2020-3644
Title Information Exposure in Content Protection
Description Information disclosure issue occurs as in current logic Secure Touch session is released without terminating display session
Technology Area Content Protection
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA515M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3666

CVE ID CVE-2020-3666
Title Stack Based Buffer overflow in WLAN
Description Out of bounds memory access during memory copy while processing Host command
Technology Area WLAN Firmware
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, QCA6174A, QCA6574, QCA6574AU, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9531, QCA9558, QCA9563, QCA9880, QCA9886, QCA9980, QCN5500, QCN5502, QCS404, QCS405, QCS605, SA6155P, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SXR1130

CVE-2020-3668

CVE ID CVE-2020-3668
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overflow while parsing PMF enabled MCBC frames due to frame length being lesser than what is expected while parsing
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* IPQ6018, IPQ8074, Kamorta, Nicobar, QCA6390, QCA8081, QCN7605, QCS404, QCS405, QCS605, Rennell, SA415M, SC7180, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130

CVE-2020-3669

CVE ID CVE-2020-3669
Title Use of Out of Range Pointer Offset in WLAN
Description Buffer Overflow issue in WLAN tcp ip verification due to usage of out of range pointer offset
Technology Area WLAN Firmware
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8098, IPQ5018, IPQ6018, IPQ8074, Kamorta, MSM8998, Nicobar, QCA6390, QCA8081, QCN7605, QCS404, QCS405, QCS605, Rennell, SA415M, SC7180, SC8180X, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130

CVE-2020-3675

CVE ID CVE-2020-3675
Title Buffer Over-read Issue in WLAN
Description Potential integer underflow while parsing Service Info and IPv6 link-local TLVs that comes as part of NDPE attribute
Technology Area WLAN Firmware
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* IPQ5018, IPQ6018, IPQ8074, Kamorta, Nicobar, QCA6390, QCN7605, QCS404, QCS405, Rennell, SA415M, Saipan, SC7180, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250

CVE-2020-11158

CVE ID CVE-2020-11158
Title NULL Pointer Dereference in PDF-Compatible Interpreter
Description Null pointer dereference in HP OfficeJet Pro 8210 jbig2 filter due to lack of check of PDF font array leads to denial of service
Technology Area PDF Parser
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Remote
Security Rating High
Date Reported 4/28/2020
Customer Notified Date 6/10/2020
Affected Chipsets* IPS PDF releases prior to IPS System 2020.

 

* Data is generated only at the time of bulletin creation

Open Source Software Issues

The tables below summarize security vulnerabilities that were addressed through open source software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.  

Public ID Security Rating Technology Area Date Reported
CVE-2020-11116 Critical WLAN HOST 11/17/2019
CVE-2019-10527 High Qualcomm IPC Internal
CVE-2019-14117 High Data Network Stack & Connectivity Internal
CVE-2020-11115 High WLAN HOST 11/24/2019
CVE-2020-11118 High WLAN HOST 11/24/2019
CVE-2020-11120 High WLAN HOST Internal

This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.  

Public ID Security Rating Technology Area Date Reported
CVE-2020-3646 Medium Display 09/24/2019
CVE-2020-3647 Medium NPU 08/25/2019
CVE-2020-3648 Medium DSP Service 10/10/2018

CVE-2020-11116

CVE ID CVE-2020-11116
Title Buffer Copy Without Checking Size of Input in WLAN
Description Possible out of bound write while processing association response received from host due to lack of check of IE length
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported 11/17/2019
Customer Notified Date 05/04/2020
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, APQ8098, Bitra, Kamorta, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS405, QCS605, QCS610, QM215, SA6155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2019-10527

CVE ID CVE-2019-10527
Title Improper Validation of Array Index in Mproc
Description SMEM partition can be manipulated in case of any compromise on HLOS, thus resulting in access to memory outside of SMEM address range which could lead to memory corruption
Technology Area Qualcomm IPC
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6574AU, QCA8081, QCM2150, QCN7605, QCN7606, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-14117

CVE ID CVE-2019-14117
Title Use After Free Issue in WLAN
Description Whenever the page list is updated via privileged user, the previous list elements are freed but are not deleted from the list which results in a use after free causing an unhandled page fault exception in rmnet driver
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* Bitra, MDM9607, QCS405, Saipan, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2020-11115

CVE ID CVE-2020-11115
Title Information Exposure Issue in WLAN
Description Buffer over read occurs while processing information element from beacon due to lack of check of data received from beacon
Technology Area WLAN HOST
Vulnerability Type CWE-200 Information Exposure
Access Vector Remote
Security Rating High
Date Reported 11/24/2019
Customer Notified Date 05/04/2020
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, APQ8098, Bitra, Kamorta, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS405, QCS605, QM215, Rennell, SA415M, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM660, SDM845, SDX20, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2020-11118

CVE ID CVE-2020-11118
Title Information Exposure Issues in WLAN
Description Information exposure issues while processing IE header due to improper check of beacon IE frame
Technology Area WLAN HOST
Vulnerability Type CWE-200 Information Exposure
Access Vector Remote
Security Rating High
Date Reported 11/24/2019
Customer Notified Date 05/04/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, Kamorta, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, Nicobar, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS405, QCS605, QCS610, QM215, Rennell, Saipan, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2020-11120

CVE ID CVE-2020-11120
Title Use After Free Issue in WLAN
Description Calling thread may free the data buffer pointer that was passed to the callback and later when event loop executes the callback, data buffer may not be valid and will lead to use after free scenario
Technology Area WLAN HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 05/04/2020
Affected Chipsets* APQ8096AU, APQ8098, Bitra, Kamorta, MSM8917, MSM8953, MSM8998, QCM2150, QCS405, QCS605, QM215, Rennell, Saipan, SDM429, SDM439, SDM450, SDM632, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2020-3646

CVE ID CVE-2020-3646
Title Buffer Copy Without Checking Size of Input in Video
Description Buffer overflow seen as the destination buffer size is lesser than the source buffer size in video application
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating Medium
Date Reported 09/24/2019
Customer Notified Date 02/03/2020
Affected Chipsets* Bitra, MSM8909W, QCM2150, QCS405, QCS605, Saipan, SC8180X, SDA845, SDM429W, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2020-3647

CVE ID CVE-2020-3647
Title Stack Based Overflow in Neural Processing Unit
Description Potential buffer overflow when accessing npu debugfs node "off"/"log" with large buffer size
Technology Area NPU
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 08/25/2019
Customer Notified Date 02/03/2020
Affected Chipsets* MDM9607, QCS405, SC8180X, SDX55, SM6150, SM7150, SM8150
Patch*

CVE-2020-3648

CVE ID CVE-2020-3648
Title Use of Out-of-range Pointer offset in DSP Services
Description Possible out of bound write in DSP driver code due to lack of check of data received from user
Technology Area DSP Service
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating Medium
Date Reported 10/10/2018
Customer Notified Date 02/03/2020
Affected Chipsets* MSM8909W
Patch*
  • CAF link not available

* Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms

     

  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 August 3, 2020 Bulletin Published
1.1 August 5, 2020 Added CVE-2020-11158

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

©2020 Qualcomm Technologies, Inc. and/or its affiliated companies.

References to "Qualcomm" may mean Qualcomm Incorporated, or subsidiaries or business units within the Qualcomm corporate structure, as applicable.

Qualcomm Incorporated includes Qualcomm's licensing business, QTL, and the vast majority of its patent portfolio. Qualcomm Technologies, Inc., a wholly-owned subsidiary of Qualcomm Incorporated, operates, along with its subsidiaries, substantially all of Qualcomm's engineering, research and development functions, and substantially all of its products and services businesses. Qualcomm products referenced on this page are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Materials that are as of a specific date, including but not limited to press releases, presentations, blog posts and webcasts, may have been superseded by subsequent events or disclosures.

Nothing in these materials is an offer to sell any of the components or devices referenced herein.