August 2023 Security Bulletin
Published: 08/03/2023
This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security issues that have been addressed in QTI’s proprietary code and (ii) links to publicly available code where security issues have been addressed.
Please reach out to [email protected] for any questions related to this bulletin.
Table of Contents
| Announcements |
| Acknowledgements |
| Proprietary Software Issues |
| Open Source Software Issues |
| Industry Coordination |
Announcements
None
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2023-21643,CVE-2023-21651 | Meysam Firouzi and Viacheslav Moskvin from MBition Product Security Team |
| CVE-2023-21625 | Forescout |
| CVE-2023-21652 | Samsung Mobile Security |
| CVE-2023-28555,CVE-2023-21647,CVE-2023-21649,CVE-2023-21650 | Zinuo Han(https://twitter.com/ele7enxxh) of OPPO Amber Security Lab |
| CVE-2023-21648,CVE-2023-28575,CVE-2023-28576,CVE-2023-28577 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin. |
Proprietary Software Issues
The tables below summarize security vulnerabilities that were addressed through proprietary software
This table lists high impact security vulnerabilities. Patches are being actively shared with OEMs, who have been notified and strongly recommended to deploy those patches on released devices as soon as possible. Please contact the device manufacturer for information on the patching status of released devices.
| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
|---|---|---|---|---|
| CVE-2022-40510 | Critical | Critical | Audio | Internal |
| CVE-2023-21643 | Critical | Critical | Automotive | 07/18/2022 |
| CVE-2023-21651 | Critical | Critical | Core | 07/18/2022 |
| CVE-2023-28561 | Critical | Critical | Qualcomm ESL | Internal |
| CVE-2023-21625 | High | High | Network Service | 08/04/2021 |
| CVE-2023-21626 | High | High | HLOS | Internal |
| CVE-2023-21652 | High | High | HLOS | 10/11/2022 |
| CVE-2023-22666 | High | High | Audio | Internal |
| CVE-2023-28537 | High | High | Audio | Internal |
| CVE-2023-28555 | High | High | Audio | 10/19/2022 |
This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
|---|---|---|---|---|
| CVE-2023-21627 | Medium | Medium | HLOS | 07/25/2022 |
| CVE-2023-21648 | Medium | Medium | RIL | 09/10/2022 |
| CVE-2023-21650 | Medium | Medium | GPS HLOS Driver | 08/30/2022 |
CVE-2022-40510
| CVE ID | CVE-2022-40510 |
| Title | Buffer copy without checking size of input in Audio. |
| Description | Memory corruption due to buffer copy without checking size of input in Audio while voice call with EVS vocoder. |
| Technology Area | Audio |
| Vulnerability Type | CWE-457 Use of Uninitialized Variable |
| Access Vector | Remote |
| Security Rating | Critical |
| CVSS Rating | Critical |
| CVSS Score | 9.8 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2023/02/06 |
| Affected Chipsets* | APQ8009, APQ8009W, APQ8017, APQ8037, APQ8064AU, APQ8076, APQ8096AU, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, MDM8207, MDM9150, MDM9206, MDM9207, MDM9250, MDM9607, MDM9628, MDM9640, MDM9650, MSM8108, MSM8208, MSM8209, MSM8608, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8996AU, PM8937, QAM8295P, QCA4020, QCA6174A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9367, QCA9377, QCA9379, QCA9984, QCC5100, QCM2290, QCM4290, QCM6125, QCM6490, QCN6024, QCN9011, QCN9012, QCN9024, QCN9074, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, QCX315, QRB5165, QRB5165M, QRB5165N, QSM8250, Qualcomm215, SA415M, SA515M, SA6145P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SA8295P, SC8180X+SDX55, SD 455, SD 636, SD 675, SD 8 Gen1 5G, SD 8CX, SD 8cx Gen2, SD 8cx Gen3, SD205, SD210, SD429, SD439, SD450, SD460, SD480, SD625, SD626, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD680, SD690 5G, SD695, SD710, SD712, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD820, SD835, SD845, SD850, SD855, SD865 5G, SD870, SD888 5G, SDA429W, SDM429W, SDM630, SDW2500, SDX12, SDX20, SDX24, SDX50M, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM4125, SM4375, SM6250, SM6250P, SM7250P, SM7325P, SW5100, SW5100P, SXR2150P, WCD9306, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2023-21643
| CVE ID | CVE-2023-21643 |
| Title | Untrusted Pointer Dereference in Automotive |
| Description | Memory corruption due to untrusted pointer dereference in automotive during system call. |
| Technology Area | Automotive |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | Critical |
| CVSS Rating | Critical |
| CVSS Score | 9.1 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L |
| Date Reported | 2022/07/18 |
| Customer Notified Date | 2023/02/06 |
| Affected Chipsets* | APQ8064AU, APQ8096AU, MSM8996AU, QAM8295P, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8295P, SA8540P, SA9000P |
CVE-2023-21651
| CVE ID | CVE-2023-21651 |
| Title | Incorrect Type Conversion or Cast in Core |
| Description | Memory Corruption in Core due to incorrect type conversion or cast in secure_io_read/write function in TEE. |
| Technology Area | Core |
| Vulnerability Type | CWE-704 Incorrect Type Conversion or Cast |
| Access Vector | Local |
| Security Rating | Critical |
| CVSS Rating | Critical |
| CVSS Score | 9.3 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Date Reported | 2022/07/18 |
| Customer Notified Date | 2023/02/06 |
| Affected Chipsets* | AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, MDM9205, QAM8295P, QCA4004, QCA6174A, QCA6310, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9377, QCA9984, QCC5100, QCM2290, QCM4290, QCM6490, QCN6024, QCN7606, QCN9011, QCN9012, QCN9024, QCS2290, QCS405, QCS4290, QCS603, QCS605, QCS6490, QCX315, QRB5165, QRB5165M, QRB5165N, QSM8250, QSM8350, SA515M, SA6145P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8295P, SA8540P, SA9000P, SD 675, SD 8 Gen1 5G, SD 8CX, SD 8cx Gen2, SD 8cx Gen3, SD460, SD480, SD662, SD665, SD670, SD675, SD678, SD680, SD690 5G, SD695, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX24, SDX50M, SDX55, SDX55M, SDX57M, SDX65, SDXR2 5G, SG4150P, SM4125, SM4375, SM7250P, SM7315, SM7325P, SSG2115P, SSG2125P, SW5100, SW5100P, SXR1230P, SXR2150P, WCD9306, WCD9326, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835 |
CVE-2023-28561
| CVE ID | CVE-2023-28561 |
| Title | Buffer Copy Without Checking Size of Input in QESL |
| Description | Memory corruption in QESL while processing payload from external ESL device to firmware. |
| Technology Area | Qualcomm ESL |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | Critical |
| CVSS Rating | Critical |
| CVSS Score | 9.8 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2023/05/01 |
| Affected Chipsets* | QCN7606 |
CVE-2023-21625
| CVE ID | CVE-2023-21625 |
| Title | Buffer Over-read in Network Services |
| Description | Information disclosure in Network Services due to buffer over-read while the device receives DNS response. |
| Technology Area | Network Service |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.2 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L |
| Date Reported | 2021/08/04 |
| Customer Notified Date | 2023/05/01 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8037, AR8031, CSRA6620, CSRA6640, MDM9205, MDM9250, MDM9650, MSM8108, MSM8208, MSM8209, MSM8608, MSM8917, MSM8937, QCA4004, QCA4010, QCA4020, QCA4024, QCA6174A, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCA9377, QCS405, QTS110, SD205, SD210, SD429, SD439, SD835, WCD9306, WCD9326, WCD9335, WCD9340, WCN3610, WCN3615, WCN3660B, WCN3680B, WCN3980, WCN3990, WCN3998, WCN3999, WSA8810, WSA8815 |
CVE-2023-21626
| CVE ID | CVE-2023-21626 |
| Title | Improper Authentication in HLOS. |
| Description | Cryptographic issue in HLOS due to improper authentication while performing key velocity checks using more than one key. |
| Technology Area | HLOS |
| Vulnerability Type | CWE-320 Key Management Errors |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.1 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| Date Reported | Internal |
| Customer Notified Date | 2023/02/06 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8037, AQT1000, AR8035, CSRA6620, CSRA6640, CSRB31024, FSM10056, MDM8207, MDM9205, MDM9206, MDM9207, MDM9607, MDM9628, MSM8108, MSM8208, MSM8209, MSM8608, MSM8917, MSM8920, MSM8937, MSM8940, PM8937, QAM8295P, QCA4004, QCA4020, QCA6174A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9367, QCA9377, QCA9379, QCM2290, QCM4290, QCM6125, QCM6490, QCN7606, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, QCS8155, QCX315, QSM8350, Qualcomm215, SA4150P, SA4155P, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8295P, SA8540P, SA9000P, SC8180X+SDX55, SD 455, SD 636, SD 675, SD 8 Gen1 5G, SD 8cx Gen2, SD 8cx Gen3, SD205, SD210, SD429, SD439, SD450, SD460, SD480, SD625, SD626, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD680, SD690 5G, SD695, SD710, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD835, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDM429W, SDM630, SDX24, SDX50M, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM4125, SM4375, SM6250, SM6250P, SM7250P, SM7315, SM7325P, SXR2150P, WCD9306, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2023-21652
| CVE ID | CVE-2023-21652 |
| Title | Key Management Errors in HLOS |
| Description | Cryptographic issue in HLOS as derived keys used to encrypt/decrypt information is present on stack after use. |
| Technology Area | HLOS |
| Vulnerability Type | CWE-320 Key Management Errors |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Date Reported | 2022/10/11 |
| Customer Notified Date | 2023/02/06 |
| Affected Chipsets* | AQT1000, AR8035, CSRA6620, CSRA6640, QAM8295P, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCA8081, QCA8337, QCC5100, QCM2290, QCM4290, QCM6125, QCM6490, QCN6024, QCN7606, QCN9024, QCS2290, QCS405, QCS4290, QCS6125, QCS6490, QSM8350, SA4150P, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8295P, SA8540P, SA9000P, SD 675, SD 8 Gen1 5G, SD 8cx Gen3, SD460, SD480, SD662, SD665, SD670, SD675, SD678, SD680, SD690 5G, SD695, SD710, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX50M, SDX55M, SDX65, SDXR1, SDXR2 5G, SG4150P, SM4125, SM4375, SM6250, SM7250P, SM7315, SM7325P, SSG2115P, SSG2125P, SW5100, SW5100P, SXR1230P, SXR2150P, WCD9326, WCD9335, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835 |
CVE-2023-22666
| CVE ID | CVE-2023-22666 |
| Title | Integer Overflow or Wraparound in Audio |
| Description | Memory Corruption in Audio while playing amrwbplus clips with modified content. |
| Technology Area | Audio |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2023/05/01 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8096AU, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, MDM9628, MSM8108, MSM8208, MSM8209, MSM8608, MSM8917, MSM8996AU, QAM8295P, QCA4020, QCA6174A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA6698AQ, QCA8081, QCA8337, QCA9377, QCA9379, QCM2290, QCM4290, QCM6125, QCM6490, QCN9011, QCN9012, QCN9074, QCS2290, QCS405, QCS410, QCS4290, QCS605, QCS610, QCS6125, QCS6490, QCX315, QRB5165, QRB5165M, QRB5165N, QSM8250, Qualcomm215, SA4150P, SA4155P, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8295P, SD 636, SD 675, SD 8 Gen1 5G, SD205, SD210, SD429, SD439, SD450, SD460, SD480, SD625, SD626, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD680, SD690 5G, SD695, SD710, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD835, SD845, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDM429W, SDM630, SDX12, SDX24, SDX50M, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250P, SM7315, SM7325P, Snapdragon® 4 Gen 1, SXR2150P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2023-28537
| CVE ID | CVE-2023-28537 |
| Title | Integer Overflow or Wraparound in Audio |
| Description | Memory corruption while allocating memory in COmxApeDec module in Audio. |
| Technology Area | Audio |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2023/05/01 |
| Affected Chipsets* | 315 5G IoT Modem, APQ8017, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, Flight RB5 5G Platform, Home Hub 100 Platform, MDM9628, MSM8108, MSM8208, MSM8209, MSM8608, MSM8917, MSM8996AU, QAM8295P, QCA6174A, QCA6310, QCA6320, QCA6335, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA6698AQ, QCA8081, QCA8337, QCA9377, QCA9379, QCM2290, QCM4290, QCM6125, QCM6490, QCN9011, QCN9012, QCN9074, QCS2290, QCS410, QCS4290, QCS610, QCS6125, QCS6490, QRB5165M, QRB5165N, QSM8250, Qualcomm Robotics RB3 Platform, Qualcomm Robotics RB5 Platform, Qualcomm215, SA4150P, SA4155P, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8295P, SD 636, SD 675, SD 8 Gen1 5G, SD205, SD210, SD429, SD439, SD450, SD460, SD480, SD625, SD626, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD680, SD690 5G, SD695, SD710, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD835, SD845, SD855, SD865 5G, SD870, SD888, SDM429W, SDM630, SDX55, SM4125, SM6250, SM6250P, SM7250P, SM7315, SM7325P, Smart Audio 100 Platform, Smart Audio 200 Platform, Smart Display 200 Platform (APQ5053-AA), Snapdragon 820 Automotive Platform, Snapdragon 835 Mobile PC Platform, Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon Auto 5G Modem-RF, Snapdragon Wear 4100+ Platform, Snapdragon X12 LTE Modem, Snapdragon X24 LTE Modem, Snapdragon X50 5G Modem-RF System, Snapdragon X55 5G Modem-RF System, Snapdragon X65 5G Modem-RF System, Snapdragon XR1 Platform, Snapdragon XR2 5G Platform, Snapdragon XR2+ Gen 1 Platform, Snapdragon Auto 4G Modem, Snapdragon® 4 Gen 1, SXR1120, SXR2130, Vision Intelligence 100 Platform (APQ8053-AA), Vision Intelligence 200 Platform (APQ8053-AC), Vision Intelligence 400 Platform, WCD9326, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3999, WCN6740, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2023-28555
| CVE ID | CVE-2023-28555 |
| Title | Buffer Over-read in Audio |
| Description | Transient DOS in Audio while remapping channel buffer in media codec decoding. |
| Technology Area | Audio |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | 2022/10/19 |
| Customer Notified Date | 2023/05/01 |
| Affected Chipsets* | AR8035, FastConnect 6200, FastConnect 6700, FastConnect 6900, FastConnect 7800, MDM9628, QAM8295P, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCM4325, QCM4490, QCN6024, QCN9024, QCS4490, SA4150P, SA4155P, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SA8295P, SD 8 Gen1 5G, SD865 5G, SDX55, SG4150P, SM4450, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 695 5G Mobile Platform, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 8+ Gen 1 Mobile Platform, Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon AR2 Gen 1 Platform, Snapdragon Auto 5G Modem-RF, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X65 5G Modem-RF System, Snapdragon XR2 5G Platform, SSG2115P, SSG2125P, SW5100, SW5100P, SXR1230P, SXR2230P, WCD9370, WCD9375, WCD9380, WCD9385, WCN3950, WCN3980, WCN3988, WCN6740, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835 |
CVE-2023-21627
| CVE ID | CVE-2023-21627 |
| Title | Incorrect Type Conversion or Cast in Trusted Execution Environment |
| Description | Memory corruption in Trusted Execution Environment while calling service API with invalid address. |
| Technology Area | HLOS |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2022/07/25 |
| Customer Notified Date | 2023/02/06 |
| Affected Chipsets* | AQT1000, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6574AU, QCA6595AU, QCA6696, QCC5100, QCS8155, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD 8 Gen1 5G, SD855, SD865 5G, SD870, SD888 5G, SDA429W, SDX55M, SDXR2 5G, SW5100, SW5100P, WCD9341, WCD9380, WCD9385, WCN3610, WCN3660B, WCN3680B, WCN3980, WCN3988, WCN3998, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2023-21648
| CVE ID | CVE-2023-21648 |
| Title | Integer Overflow to Buffer Overflow in RIL |
| Description | Memory corruption in RIL while trying to send apdu packet. |
| Technology Area | RIL |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2022/09/10 |
| Customer Notified Date | 2023/02/06 |
| Affected Chipsets* | AQT1000, QCA6391, QCA6420, QCA6430, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCC5100, SA515M, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD855, SDA429W, SDX55, SW5100, SW5100P, WCD9341, WCD9360, WCN3610, WCN3660B, WCN3680B, WCN3980, WCN3988, WCN3998, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2023-21650
| CVE ID | CVE-2023-21650 |
| Title | Improper Validation of Array Index in GPS HLOS Driver |
| Description | Memory Corruption in GPS HLOS Driver when injectFdclData receives data with invalid data length. |
| Technology Area | GPS HLOS Driver |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2022/08/30 |
| Customer Notified Date | 2023/02/06 |
| Affected Chipsets* | AQT1000, CSRB31024, QAM8295P, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564, QCA6564AU, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCC5100, QCS410, QCS610, SA415M, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SA8295P, SD855, SD865 5G, SD870, SDA429W, SDX55M, SDXR2 5G, SW5100, SW5100P, WCD9341, WCD9370, WCD9380, WCN3610, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WCN3998, WCN6850, WCN6851, WSA8810, WSA8815, WSA8830, WSA8835 |
*The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at www.qualcomm.com/support.
Open Source Software Issues
The tables below summarize security vulnerabilities that were addressed through open source software
This table lists high impact security vulnerabilities. Patches are being actively shared with OEMs, who have been notified and strongly recommended to deploy those patches on released devices as soon as possible. Please contact the device manufacturer for information on the patching status of released devices.
| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
|---|
This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
|---|---|---|---|---|
| CVE-2023-21647 | Medium | Medium | Bluetooth HOST | 09/13/2022 |
| CVE-2023-21649 | Medium | Medium | WLAN HOST | 08/29/2022 |
| CVE-2023-28575 | Medium | Medium | Camera Driver | 04/04/2023 |
| CVE-2023-28576 | Medium | Medium | Camera Driver | 04/04/2023 |
| CVE-2023-28577 | Medium | Medium | Camera Driver | 04/04/2023 |
CVE-2023-21647
| CVE ID | CVE-2023-21647 |
| Title | Improper Input Validation in Bluetooth HOST |
| Description | Information disclosure in Bluetooth when an GATT packet is received due to improper input validation. |
| Technology Area | Bluetooth HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Remote |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Date Reported | 2022/09/13 |
| Customer Notified Date | 2023/02/06 |
| Affected Chipsets* | QCA6390, QCA6391, QCA6426, QCA6436, QCA6574AU, QCA6595AU, QCA6696, QCC5100, QCN9074, QCS410, QCS610, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD 8 Gen1 5G, SD865 5G, SD870, SDX55M, SDXR2 5G, SW5100, SW5100P, WCD9341, WCD9370, WCD9380, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
| Patch** |
CVE-2023-21649
| CVE ID | CVE-2023-21649 |
| Title | Buffer Copy Without Checking Size of Input (`Classic Buffer Overflow`) in WLAN |
| Description | Memory corruption in WLAN while running doDriverCmd for an unspecific command. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2022/08/29 |
| Customer Notified Date | 2023/02/06 |
| Affected Chipsets* | APQ8096AU, AQT1000, MDM9628, MDM9650, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6554A, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8337, QCC5100, QCN9074, QCS410, QCS610, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD480, SD695, SD855, SD865 5G, SD870, SDA429W, SDX55, SDX55M, SDXR2 5G, SM4375, SW5100, SW5100P, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WCN3991, WCN3998, WCN6850, WCN6851, WSA8810, WSA8815, WSA8830, WSA8835 |
| Patch** |
CVE-2023-28575
| CVE ID | CVE-2023-28575 |
| Title | Multiple Type Confusion Vulnerability |
| Description | The cam_get_device_priv function does not check the type of handle being returned (device/session/link). This would lead to invalid type usage if a wrong handle is passed to it. |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2023/04/04 |
| Customer Notified Date | 2023/07/03 |
| Affected Chipsets* | AQT1000, C-V2X 9150, FastConnect 6200, FastConnect 6800, FastConnect 6900, FastConnect 7800, QAM8295P, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6574AU, QCA6696, QCA8337, QCN9074, QCS410, QCS610, QCS8155, Qualcomm 205 Mobile Platform, Qualcomm 215 Mobile Platform, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SA8295P, SD855, SD865 5G, SDX55, Snapdragon 210 Processor, Snapdragon 212 Mobile Platform, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 855 Mobile Platform, Snapdragon 855+/860 Mobile Platform (SM8150-AC), Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon Wear 4100+ Platform, Snapdragon X55 5G Modem-RF System, Snapdragon XR2 5G Platform, SW5100, SW5100P, SXR2130, WCD9341, WCD9370, WCD9380, WCN3610, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WSA8810, WSA8815, WSA8830, WSA8835 |
| Patch** |
|
CVE-2023-28576
| CVE ID | CVE-2023-28576 |
| Title | Time-of-check Time-of-use (TOCTOU) Race Condition in Camera Kernel Driver |
| Description | The buffer obtained from kernel APIs such as cam_mem_get_cpu_buf() may be readable/writable in userspace after kernel accesses it. In other words, user mode may race and modify the packet header (e.g. header.count), causing checks (e.g. size checks) in kernel code to be invalid. This may lead to out-of-bounds read/write issues. |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.4 |
| CVSS String | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2023/04/04 |
| Customer Notified Date | 2023/06/07 |
| Affected Chipsets* | FastConnect 6800, FastConnect 6900, FastConnect 7800, QCA6391, QCA6426, QCA6436, QCN9074, QCS410, QCS610, SD865 5G, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon X55 5G Modem-RF System, Snapdragon XR2 5G Platform, SW5100, SW5100P, SXR2130, WCD9341, WCD9370, WCD9380, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WSA8810, WSA8815, WSA8830, WSA8835 |
| Patch** |
CVE-2023-28577
| CVE ID | CVE-2023-28577 |
| Title | Multiple Dmabuf Kernel Address UAF Vulnerability |
| Description | In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use, another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address. |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2023/04/04 |
| Customer Notified Date | 2023/07/03 |
| Affected Chipsets* | FastConnect 6800, FastConnect 6900, FastConnect 7800, QCA6391, QCA6426, QCA6436, QCN9074, QCS410, QCS610, SD865 5G, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon X55 5G Modem-RF System, Snapdragon XR2 5G Platform, SW5100, SW5100P, SXR2130, WCD9341, WCD9370, WCD9380, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WSA8810, WSA8815, WSA8830, WSA8835 |
| Patch** |
* The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at www.qualcomm.com/support.
** Data is generated only at the time of bulletin creation
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.
Qualcomm Technologies, Inc.
San Diego, CA 92121
U.S.A.
© 2022 Qualcomm Technologies, Inc. and/or its subsidiaries. All rights reserved.
- Table of Contents
- Announcements
- Acknowledgements
- Proprietary Software Issues
- CVE-2022-40510
- CVE-2023-21643
- CVE-2023-21651
- CVE-2023-28561
- CVE-2023-21625
- CVE-2023-21626
- CVE-2023-21652
- CVE-2023-22666
- CVE-2023-28537
- CVE-2023-28555
- CVE-2023-21627
- CVE-2023-21648
- CVE-2023-21650
- Open Source Software Issues
- CVE-2023-21647
- CVE-2023-21649
- CVE-2023-28575
- CVE-2023-28576
- CVE-2023-28577
- Industry Coordination
