December 2022 Security Bulletin
Published: 12/05/2022
This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security issues that have been addressed in QTI’s proprietary code and (ii) links to publicly available code where security issues have been addressed.
Please reach out to [email protected] for any questions related to this bulletin.
Table of Contents
| Announcements |
| Acknowledgements |
| Proprietary Software Issues |
| Open Source Software Issues |
| Industry Coordination |
Announcements
None
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2022-22063 | Stephan Gerhold <[email protected]> |
| CVE-2022-25682,CVE-2022-25695 | Peter Park (peterpark) |
| CVE-2022-25685 | Syed Rafiul Hussain, Abdullah Al Ishtiaq, Penn State; Imtiaz Karim, Elisa Bertino, Purdue; Omar Chowdhury, University of Iowa |
| CVE-2022-25677 | Seonung Jang(@IFdLRx4At1WFm74) of STEALIEN |
| CVE-2022-25711 | Pengfei Ding(丁鹏飞) |
| CVE-2022-25712 | Le Wu(吴乐) of Baidu Security |
Proprietary Software Issues
The tables below summarize security vulnerabilities that were addressed through proprietary software
This table lists high impact security vulnerabilities. Patches have been released for affected products.OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
|---|---|---|---|---|
| CVE-2022-22063 | Critical | High | Core | 10/18/2021 |
| CVE-2022-25672 | High | High | Modem | Internal |
| CVE-2022-25673 | High | High | Modem | Internal |
| CVE-2022-25681 | High | High | KERNEL | Internal |
| CVE-2022-25682 | High | High | User Identity Module | 02/19/2022 |
| CVE-2022-25685 | High | High | Multi-Mode Call Processor | 06/14/2021 |
| CVE-2022-25689 | High | High | Modem | Internal |
| CVE-2022-25691 | High | High | Modem | Internal |
| CVE-2022-25692 | High | High | Modem | Internal |
| CVE-2022-25695 | High | High | User Identity Module | 02/19/2022 |
| CVE-2022-25697 | High | High | Buses | Internal |
| CVE-2022-25698 | High | High | Buses | Internal |
| CVE-2022-25702 | High | High | Modem | Internal |
| CVE-2022-33235 | High | High | WLAN Firmware | Internal |
| CVE-2022-33238 | High | High | WLAN Firmware | Internal |
This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
|---|---|---|---|---|
| CVE-2022-25675 | Medium | Medium | Data Modem | 11/30/2020 |
CVE-2022-22063
| CVE ID | CVE-2022-22063 |
| Title | Memory corruption in Core |
| Description | Memory corruption in Core due to improper configuration in boot remapper. |
| Technology Area | Core |
| Vulnerability Type | CWE-16 Configuration |
| Access Vector | Local |
| Security Rating | Critical |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2021/10/18 |
| Customer Notified Date | 2022/12/05 |
| Affected Chipsets* | APQ8096AU, MDM9640, MDM9645, QCA6174, QCA6174A, QCA6574A, QCA6574AU, WCN3990 |
CVE-2022-25672
| CVE ID | CVE-2022-25672 |
| Title | Reachable Assertion in MODEM |
| Description | Denial of service in MODEM due to reachable assertion while processing SIB1 with invalid Bandwidth |
| Technology Area | Modem |
| Vulnerability Type | CWE-617 Reachable Assertion |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2022/05/02 |
| Affected Chipsets* | AR8035, QCA8081, QCA8337, QCN6024, QCN9024, SD 8 Gen1 5G, SD480, SD695, SDX65, SM4375, WCD9370, WCD9375, WCD9380, WCD9385, WCN3988, WCN3998, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2022-25673
| CVE ID | CVE-2022-25673 |
| Title | Reachable Assertion in MODEM |
| Description | Denial of service in MODEM due to reachable assertion while processing configuration from network |
| Technology Area | Modem |
| Vulnerability Type | CWE-617 Reachable Assertion |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | AR8035, QCA8081, QCA8337, QCN6024, QCN9024, SD 8 Gen1 5G, SDX65, WCD9380, WCN6855, WCN6856, WCN7850, WCN7851, WSA8830, WSA8835 |
CVE-2022-25681
| CVE ID | CVE-2022-25681 |
| Title | Improper Access Control in KERNEL |
| Description | Possible memory corruption in kernel while performing memory access due to hypervisor not correctly invalidated the processor translation caches |
| Technology Area | KERNEL |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2022/05/02 |
| Affected Chipsets* | AQT1000, AR8035, QAM8295P, QCA6174A, QCA6310, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9377, QCM6490, QCN9011, QCN9012, QCS603, QCS605, QCS6490, QRB5165, QRB5165M, QRB5165N, QSM8350, SA6145P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8295P, SA8540P, SA9000P, SD 675, SD 8 Gen1 5G, SD 8CX, SD 8cx Gen2, SD 8cx Gen3, SD670, SD675, SD678, SD765, SD765G, SD768G, SD778G, SD780G, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX24, SDX50M, SDX55, SDX55M, SDX57M, SDX65, SDXR2 5G, SM7250P, SM7315, SM7325P, WCD9326, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3950, WCN3980, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2022-25682
| CVE ID | CVE-2022-25682 |
| Title | Use of Out-of-range Pointer Offset in MODEM |
| Description | Memory corruption in MODEM UIM due to usage of out of range pointer offset while decoding command from card |
| Technology Area | User Identity Module |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2022/02/19 |
| Customer Notified Date | 2022/05/02 |
| Affected Chipsets* | APQ8009, APQ8009W, APQ8017, APQ8037, APQ8052, APQ8056, APQ8076, APQ8096AU, AQT1000, AR6003, AR8035, CSRA6620, CSRA6640, CSRB31024, MDM8207, MDM8215, MDM8215M, MDM8615M, MDM9150, MDM9205, MDM9206, MDM9207, MDM9215, MDM9230, MDM9250, MDM9310, MDM9330, MDM9607, MDM9615, MDM9615M, MDM9628, MDM9630, MDM9640, MDM9650, MDM9655, MSM8108, MSM8208, MSM8209, MSM8608, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8952, MSM8956, MSM8976, MSM8976SG, MSM8996AU, QCA4004, QCA6174, QCA6174A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584, QCA6584AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9367, QCA9377, QCC5100, QCM2290, QCM4290, QCM6125, QCM6490, QCN6024, QCN9024, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, QCX315, QET4101, QSW8573, Qualcomm215, SA415M, SA515M, SC8180X+SDX55, SD 455, SD 636, SD 675, SD 8 Gen1 5G, SD 8cx Gen2, SD205, SD210, SD429, SD439, SD450, SD460, SD480, SD625, SD626, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD680, SD690 5G, SD695, SD710, SD712, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD820, SD821, SD835, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDM429W, SDM630, SDW2500, SDX12, SDX20, SDX24, SDX50M, SDX55, SDX55M, SDX57M, SDX65, SDXR1, SDXR2 5G, SM4375, SM6250, SM6250P, SM7250P, SM7315, SM7325P, SW5100, SW5100P, WCD9306, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2022-25685
| CVE ID | CVE-2022-25685 |
| Title | Improper Authentication in Modem |
| Description | Denial of service in Modem module due to improper authorization while error handling |
| Technology Area | Multi-Mode Call Processor |
| Vulnerability Type | CWE-285 Improper Authorization |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | 2021/06/14 |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8037, AQT1000, AR8035, CSRA6620, CSRA6640, MSM8108, MSM8208, MSM8209, MSM8608, MSM8917, MSM8937, QCA6174A, QCA6310, QCA6320, QCA6390, QCA6391, QCA6421, QCA6426, QCA6431, QCA6436, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCC5100, QCM2290, QCM4290, QCM6125, QCM6490, QCN6024, QCN9024, QCS2290, QCS405, QCS410, QCS4290, QCS610, QCS6125, QCS6490, QCX315, SA515M, SD 675, SD 8 Gen1 5G, SD205, SD210, SD429, SD439, SD460, SD480, SD662, SD665, SD675, SD678, SD680, SD690 5G, SD695, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD820, SD821, SD835, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDM429W, SDX50M, SDX55, SDX55M, SDX57M, SDX65, SDXR2 5G, SM6250, SM6250P, SM7250P, SM7315, SM7325P, SW5100, SW5100P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2022-25689
| CVE ID | CVE-2022-25689 |
| Title | Reachable Assertion in MODEM |
| Description | Denial of service in Modem due to reachable assertion |
| Technology Area | Modem |
| Vulnerability Type | CWE-617 Reachable Assertion |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | AR8035, QCA8081, QCA8337, QCN6024, QCN9024, SDX65, WCD9380, WCN6855, WCN6856 |
CVE-2022-25691
| CVE ID | CVE-2022-25691 |
| Title | Reachable Assertion in MODEM |
| Description | Denial of service in Modem due to reachable assertion while processing SIB1 with invalid SCS and bandwidth settings |
| Technology Area | Modem |
| Vulnerability Type | CWE-617 Reachable Assertion |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | AR8035, QCA8081, QCA8337, QCN6024, QCN9024, SD 8 Gen1 5G, SD480, SD695, SDX65, SM4375, WCD9370, WCD9375, WCD9380, WCD9385, WCN3988, WCN3998, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2022-25692
| CVE ID | CVE-2022-25692 |
| Title | Reachable Assertion in MODEM |
| Description | Denial of service in Modem due to reachable assertion while processing the common config procedure |
| Technology Area | Modem |
| Vulnerability Type | CWE-617 Reachable Assertion |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | AR8035, QCA6390, QCA6391, QCA6574A, QCA6595AU, QCA6696, QCA8081, QCA8337, QCM6490, QCN6024, QCN9024, QCS6490, QCX315, SA515M, SD 8 Gen1 5G, SD429, SD480, SD690 5G, SD695, SD765, SD765G, SD768G, SD778G, SD780G, SD865 5G, SD870, SD888 5G, SDA429W, SDM429W, SDX55, SDX55M, SDX57M, SDX65, SM4375, SM7250P, SM7325P, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3620, WCN3660B, WCN3680B, WCN3980, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2022-25695
| CVE ID | CVE-2022-25695 |
| Title | Improper Validation of Array Index in MODEM |
| Description | Memory corruption in MODEM due to Improper Validation of Array Index while processing GSTK Proactive commands |
| Technology Area | User Identity Module |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2022/02/19 |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | APQ8009, APQ8009W, APQ8017, APQ8037, APQ8052, APQ8056, APQ8076, APQ8096AU, AQT1000, AR8035, CSRA6620, CSRA6640, CSRB31024, FSM10055, MDM8207, MDM9150, MDM9205, MDM9206, MDM9207, MDM9230, MDM9250, MDM9330, MDM9607, MDM9628, MDM9630, MDM9640, MDM9650, MSM8108, MSM8208, MSM8209, MSM8608, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8952, MSM8956, MSM8976, MSM8976SG, MSM8996AU, QCA4004, QCA6174, QCA6174A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584, QCA6584AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9367, QCA9377, QCA9379, QCC5100, QCM2290, QCM4290, QCM6125, QCM6490, QCN6024, QCN9024, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, QCX315, QET4101, QSW8573, Qualcomm215, SA415M, SA515M, SC8180X+SDX55, SD 455, SD 636, SD 675, SD 8 Gen1 5G, SD 8cx Gen2, SD205, SD210, SD429, SD439, SD450, SD460, SD480, SD625, SD626, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD680, SD690 5G, SD695, SD710, SD712, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD820, SD821, SD835, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDM429W, SDM630, SDW2500, SDX12, SDX20, SDX24, SDX50M, SDX55, SDX55M, SDX57M, SDX65, SDXR1, SDXR2 5G, SM4375, SM6250, SM6250P, SM7250P, SM7315, SM7325P, SW5100, SW5100P, WCD9306, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2022-25697
| CVE ID | CVE-2022-25697 |
| Title | Improper Input Validation in i2c Buses |
| Description | Memory corruption in i2c buses due to improper input validation while reading address configuration from i2c driver |
| Technology Area | Buses |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | SD 8 Gen1 5G, SD429, SDA429W, SDM429W, WCD9380, WCN3610, WCN3620, WCN3660B, WCN3680B, WCN3980, WCN6855, WCN6856, WCN7850, WCN7851, WSA8830, WSA8835 |
CVE-2022-25698
| CVE ID | CVE-2022-25698 |
| Title | Improper Input Validation in SPI Buses |
| Description | Memory corruption in SPI buses due to improper input validation while reading address configuration from spi buses |
| Technology Area | Buses |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | SD 8 Gen1 5G, SD429, SDA429W, SDM429W, WCD9380, WCN3610, WCN3620, WCN3660B, WCN3680B, WCN3980, WCN6855, WCN6856, WCN7850, WCN7851, WSA8830, WSA8835 |
CVE-2022-25702
| CVE ID | CVE-2022-25702 |
| Title | Reachable Assertion in Modem |
| Description | Denial of service in modem due to reachable assertion while processing reconfiguration message |
| Technology Area | Modem |
| Vulnerability Type | CWE-617 Reachable Assertion |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8037, AQT1000, AR8035, FSM10055, MSM8108, MSM8208, MSM8209, MSM8608, MSM8917, MSM8937, QCA6390, QCA6391, QCA6421, QCA6426, QCA6431, QCA6436, QCA8081, QCA8337, QCN6024, QCN9024, QCX315, SA515M, SD 8 Gen1 5G, SD205, SD210, SD429, SD439, SD480, SD690 5G, SD695, SD750G, SD765, SD765G, SD768G, SD780G, SD855, SD865 5G, SD870, SD888, SDA429W, SDM429W, SDX50M, SDX55, SDX55M, SDX65, SDXR2 5G, SM4375, SM7250P, SM7315, WCD9326, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680B, WCN3980, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2022-33235
| CVE ID | CVE-2022-33235 |
| Title | Buffer over-read in WLAN firmware |
| Description | Information disclosure due to buffer over-read in WLAN firmware while parsing security context info attributes. |
| Technology Area | WLAN Firmware |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.2 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L |
| Date Reported | Internal |
| Customer Notified Date | 2022/09/05 |
| Affected Chipsets* | APQ8009, APQ8096AU, AQT1000, AR8031, AR8035, AR9380, CSR8811, CSRA6620, CSRA6640, CSRB31024, IPQ4018, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8069, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, IPQ9008, IPQ9574, MDM9640, MSM8996AU, PMP8074, QAM8295P, QCA1062, QCA1064, QCA2062, QCA2064, QCA2065, QCA2066, QCA4020, QCA4024, QCA6174A, QCA6310, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6428, QCA6430, QCA6431, QCA6436, QCA6438, QCA6554A, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8072, QCA8075, QCA8081, QCA8082, QCA8084, QCA8085, QCA8337, QCA8386, QCA9367, QCA9377, QCA9379, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9990, QCA9992, QCA9994, QCC5100, QCM2290, QCM4290, QCM6125, QCM6490, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN6023, QCN6024, QCN6100, QCN6102, QCN6112, QCN6122, QCN6132, QCN7605, QCN7606, QCN9000, QCN9001, QCN9002, QCN9003, QCN9011, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCN9274, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, QCX315, QRB5165, QRB5165M, QRB5165N, QSM8250, QSM8350, SA4150P, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8295P, SC8180X+SDX55, SD 675, SD 8 Gen1 5G, SD 8CX, SD 8cx Gen2, SD 8cx Gen3, SD460, SD480, SD660, SD662, SD665, SD670, SD675, SD678, SD680, SD690 5G, SD695, SD710, SD712, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD820, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX20, SDX20M, SDX24, SDX50M, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM4125, SM4375, SM6250, SM6250P, SM7250P, SM7315, SM7325P, SW5100, SW5100P, SXR2150P, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3660B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2022-33238
| CVE ID | CVE-2022-33238 |
| Title | Loop with unreachable exit condition in WLAN |
| Description | Transient DOS due to loop with unreachable exit condition in WLAN while processing an incoming FTM frames. |
| Technology Area | WLAN Firmware |
| Vulnerability Type | CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2022/09/05 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8064AU, APQ8076, APQ8096AU, AQT1000, AR8031, AR8035, AR9380, CSR8811, CSRA6620, CSRA6640, CSRB31024, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8069, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, IPQ9008, IPQ9574, MDM8215, MDM9206, MDM9215, MDM9250, MDM9310, MDM9607, MDM9615, MDM9628, MDM9640, MDM9645, MDM9650, MSM8976, MSM8996AU, PMP8074, QAM8295P, QCA0000, QCA1023, QCA1062, QCA1064, QCA2062, QCA2064, QCA2065, QCA2066, QCA4020, QCA4024, QCA4531, QCA6174, QCA6174A, QCA6175A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6428, QCA6430, QCA6431, QCA6436, QCA6438, QCA6554A, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA8082, QCA8084, QCA8085, QCA8337, QCA8386, QCA9367, QCA9369, QCA9377, QCA9379, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9985, QCA9987, QCA9990, QCA9992, QCA9994, QCC5100, QCM2290, QCM4290, QCM6125, QCM6490, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5550, QCN6023, QCN6024, QCN6100, QCN6102, QCN6112, QCN6122, QCN6132, QCN7605, QCN7606, QCN9000, QCN9001, QCN9002, QCN9003, QCN9011, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCN9274, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, QCX315, QRB5165, QRB5165M, QRB5165N, QSM8250, QSM8350, SA4150P, SA4155P, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8295P, SC8180X+SDX55, SD 675, SD 8 Gen1 5G, SD 8CX, SD 8cx Gen2, SD 8cx Gen3, SD460, SD480, SD660, SD662, SD665, SD670, SD675, SD678, SD680, SD690 5G, SD695, SD710, SD712, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD820, SD821, SD835, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX12, SDX20, SDX20M, SDX24, SDX50M, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM4125, SM4375, SM6250, SM6250P, SM7250P, SM7315, SM7325P, SW5100, SW5100P, SXR2150P, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
CVE-2022-25675
| CVE ID | CVE-2022-25675 |
| Title | Reachable Assertion in Data Modem |
| Description | Denial of service due to reachable assertion in modem while processing filter rule from application client |
| Technology Area | Data Modem |
| Vulnerability Type | CWE-617 Reachable Assertion |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 5.5 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | 2020/11/30 |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | AQT1000, QCA6310, QCA6320, QCA6390, QCA6391, QCA6420, QCA6430, QCM6490, QCS6490, QCX315, SD480, SD690 5G, SD695, SD765, SD765G, SD768G, SD778G, SD780G, SD835, SD855, SD865 5G, SD870, SD888 5G, SDX55, SDX55M, SDX65, SM7250P, SM7325P, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835 |
*The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at www.qualcomm.com/support.
Open Source Software Issues
The tables below summarize security vulnerabilities that were addressed through open source software
This table lists high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
|---|---|---|---|---|
| CVE-2022-33268 | High | High | Bluetooth HOST | Internal |
This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
|---|---|---|---|---|
| CVE-2022-25677 | Medium | Medium | Core Services | 12/16/2021 |
| CVE-2022-25711 | Medium | Medium | Camera Driver | 07/27/2021 |
| CVE-2022-25712 | Medium | Medium | Camera Driver | 02/26/2022 |
CVE-2022-33268
| CVE ID | CVE-2022-33268 |
| Title | Buffer over-read in Bluetooth HOST |
| Description | Information disclosure due to buffer over-read in Bluetooth HOST while pairing and connecting A2DP. |
| Technology Area | Bluetooth HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.2 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L |
| Date Reported | Internal |
| Customer Notified Date | 2022/08/01 |
| Affected Chipsets* | APQ8009, APQ8017, AR8031, CSRA6620, CSRA6640, MDM9206, MDM9250, MDM9607, MDM9628, QCA6174A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6426, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595AU, QCA6696, QCA8337, QCA9367, QCA9377, QCC5100, QCN9011, QCN9012, QCN9074, QCS405, QCS410, QCS605, QCS610, QRB5165, QRB5165M, QRB5165N, Qualcomm215, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 8 Gen1 5G, SD205, SD210, SD429, SD660, SD835, SD845, SD865 5G, SD870, SDM429W, SDX24, SDX55, SDX55M, SDXR1, SDXR2 5G, SW5100, SW5100P, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9370, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680, WCN3680B, WCN3950, WCN3980, WCN3988, WCN3990, WCN3998, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
| Patch** |
CVE-2022-25677
| CVE ID | CVE-2022-25677 |
| Title | Use After Free in DIAG |
| Description | Memory corruption in diag due to use after free while processing dci packet |
| Technology Area | Core Services |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2021/12/16 |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | APQ8096AU, AQT1000, AR9380, CSR8811, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071A, IPQ8072A, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, IPQ9008, IPQ9574, MDM9150, MDM9650, MSM8996AU, PMP8074, QCA4024, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA7500, QCA8072, QCA8075, QCA8081, QCA8337, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN6023, QCN6024, QCN6100, QCN6102, QCN6112, QCN6122, QCN6132, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCN9274, QCS410, QCS610, QCS8155, QSM8250, Qualcomm215, SA515M, SA6145P, SA6155P, SA8155P, SD 675, SD205, SD210, SD429, SD675, SD678, SD720G, SD730, SD835, SD845, SD855, SD865 5G, SD870, SDA429W, SDM429W, SDX50M, SDX55, SDX55M, SDXR2 5G, SM6250, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCN3610, WCN3620, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6850, WCN6851, WSA8810, WSA8815 |
| Patch** |
CVE-2022-25711
| CVE ID | CVE-2022-25711 |
| Title | Improper Validation of Array Index in Camera |
| Description | Memory corruption in camera due to improper validation of array index |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2021/07/27 |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | AQT1000, MDM9150, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6574AU, QCA6595AU, QCA6696, QCA8337, QCC5100, QCN9074, QCS410, QCS610, QCS8155, Qualcomm215, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD 8 Gen1 5G, SD205, SD210, SD855, SD865 5G, SD870, SDA429W, SDX55, SDX55M, SDXR2 5G, SW5100, SW5100P, WCD9340, WCD9341, WCD9370, WCD9380, WCN3610, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WCN3998, WCN6850, WCN6851, WCN6855, WCN6856, WCN7850, WCN7851, WSA8810, WSA8815, WSA8830, WSA8835 |
| Patch** |
CVE-2022-25712
| CVE ID | CVE-2022-25712 |
| Title | Out-of-bounds access due to ION buffer size mismatch |
| Description | Memory corruption in camera due to buffer copy without checking size of input |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2022/02/26 |
| Customer Notified Date | 2022/06/06 |
| Affected Chipsets* | AQT1000, MDM9150, QCA6310, QCA6335, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCC5100, QCS410, QCS610, Qualcomm215, SD205, SD210, SD710, SD845, SD855, SD865 5G, SD870, SDA429W, SDX55M, SDXR1, SDXR2 5G, SW5100, SW5100P, WCD9326, WCD9340, WCD9341, WCD9370, WCD9380, WCN3610, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WCN3990, WCN3998, WCN6850, WCN6851, WSA8810, WSA8815, WSA8830, WSA8835 |
| Patch** |
* The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at www.qualcomm.com/support.
** Data is generated only at the time of bulletin creation
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.
Qualcomm Technologies, Inc.
San Diego, CA 92121
U.S.A.
© 2022 Qualcomm Technologies, Inc. and/or its subsidiaries. All rights reserved.
- Table of Contents
- Announcements
- Acknowledgements
- Proprietary Software Issues
- CVE-2022-22063
- CVE-2022-25672
- CVE-2022-25673
- CVE-2022-25681
- CVE-2022-25682
- CVE-2022-25685
- CVE-2022-25689
- CVE-2022-25691
- CVE-2022-25692
- CVE-2022-25695
- CVE-2022-25697
- CVE-2022-25698
- CVE-2022-25702
- CVE-2022-33235
- CVE-2022-33238
- CVE-2022-25675
- Open Source Software Issues
- CVE-2022-33268
- CVE-2022-25677
- CVE-2022-25711
- CVE-2022-25712
- Industry Coordination
