July 2021 Security Bulletin

Version 1.0

Published: 07/05/2021

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices..

Please reach out to [email protected] for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2021-1965, CVE-2021-1970	Hao Chen (@flankersky) and Guang Gong (@oldfresher) of 360 Alpha Lab
CVE-2021-1887	Domien Schepers (domienschepers)
CVE-2021-1931	Christopher Wade of Pen Test Partners
CVE-2021-1938, CVE-2021-1953, CVE-2021-1955	Haikuo Xie of Singular Security Lab
CVE-2021-1940	Man Yue Mo
CVE-2021-1943, CVE-2021-1945, CVE-2021-1954, CVE-2021-1964, CVE-2021-1897, CVE-2021-1899, CVE-2021-1901	Gengjia Chen ( @chengjia4574 ) from IceSword Lab
CVE-2021-1896	Štefan Svorenčík Of Eset

Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table lists high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID	Security Rating	CVSS Rating	Technology Area	Date Reported
CVE-2020-11307	Critical	Critical	Data Network Stack & Connectivity	Internal
CVE-2021-1886	Critical	High	HLOS	Internal
CVE-2021-1888	Critical	High	HLOS	Internal
CVE-2021-1889	Critical	High	HLOS	Internal
CVE-2021-1890	Critical	High	HLOS	Internal
CVE-2021-1887	High	High	WLAN Firmware	08/06/2020
CVE-2021-1938	High	High	WLAN Firmware	11/20/2020
CVE-2021-1953	High	High	WLAN Firmware	12/16/2020

This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

Public ID	Security Rating	CVSS Rating	Technology Area	Date Reported
CVE-2021-1896	Medium	Medium	WLAN Windows Host	07/09/2020

CVE-2020-11307

CVE ID	CVE-2020-11307
Title	Integer Overflow to Buffer Overflow in Data HLOS
Description	Buffer overflow in modem due to improper array index check before copying into it
Technology Area	Data Network Stack & Connectivity
Vulnerability Type	CWE-680 Integer Overflow to Buffer Overflow
Access Vector	Remote
Security Rating	Critical
CVSS Rating	Critical
CVSS Score	9.8
CVSS String	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported	Internal
Customer Notified Date	12/07/2020
Affected Chipsets*	APQ8009W, APQ8017, APQ8053, APQ8064AU, APQ8096AU, AQT1000, MSM8909W, MSM8917, MSM8937, MSM8953, MSM8996AU, PM8937, QCA6320, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCM2290, QCM4290, QCM6125, QCS2290, QCS4290, QCS603, QCS605, QCS610, QCS6125, Qualcomm215, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 455, SD 636, SD 675, SD205, SD210, SD429, SD439, SD450, SD460, SD480, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD835, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM429W, SDM630, SDM830, SDW2500, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250P, SM7325P, WCD9335, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6856, WSA8830, WSA8835

CVE-2021-1886

CVE ID	CVE-2021-1886
Title	Untrusted Pointer Dereference in Key Management
Description	Incorrect handling of pointers in trusted application key import mechanism could cause memory corruption
Technology Area	HLOS
Vulnerability Type	CWE-822 Untrusted Pointer Dereference
Access Vector	Local
Security Rating	Critical
CVSS Rating	High
CVSS Score	8.4
CVSS String	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported	Internal
Customer Notified Date	01/04/2021
Affected Chipsets*	APQ8017, APQ8037, APQ8053, APQ8064AU, APQ8096AU, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, FSM10055, FSM10056, MDM9205, MDM9640, MDM9650, MDM9655, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, PM8937, QCA4004, QCA4020, QCA6174A, QCA6175A, QCA6234, QCA6320, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6694, QCA6694AU, QCA6696, QCA8337, QCA9377, QCA9379, QCM2290, QCM4290, QCM6125, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QSM8250, QSM8350, Qualcomm215, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SC8180X+SDX55, SD 455, SD 636, SD 675, SD 8C, SD 8CX, SD429, SD439, SD450, SD460, SD480, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD712, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD820, SD821, SD835, SD850, SD855, SD865 5G, SD870, SD888 5G, SDA429W, SDM429W, SDM630, SDX24, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250P, SM7325P, WCD9306, WCD9335, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-1888

CVE ID	CVE-2021-1888
Title	Double Free in Trusted Application
Description	Memory corruption in key parsing and import function due to double freeing the same heap allocation
Technology Area	HLOS
Vulnerability Type	CWE-415 Double Free
Access Vector	Local
Security Rating	Critical
CVSS Rating	High
CVSS Score	8.4
CVSS String	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported	Internal
Customer Notified Date	01/04/2021
Affected Chipsets*	APQ8017, APQ8037, APQ8053, APQ8064AU, APQ8096AU, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, FSM10055, FSM10056, MDM9205, MDM9640, MDM9650, MDM9655, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, PM8937, QCA4004, QCA4020, QCA6174A, QCA6175A, QCA6234, QCA6320, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6694, QCA6694AU, QCA6696, QCA8337, QCA9379, QCM2290, QCM4290, QCM6125, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QSM8250, QSM8350, Qualcomm215, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SC8180X+SDX55, SD 455, SD 636, SD 675, SD 8C, SD 8CX, SD429, SD439, SD450, SD460, SD480, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD712, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD820, SD821, SD835, SD850, SD855, SD865 5G, SD870, SD888 5G, SDA429W, SDM429W, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250P, SM7325P, WCD9306, WCD9335, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-1889

CVE ID	CVE-2021-1889
Title	Buffer Copy Without Checking Size of Input in Trusted Application
Description	Possible buffer overflow due to lack of length check in Trusted Application
Technology Area	HLOS
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Local
Security Rating	Critical
CVSS Rating	High
CVSS Score	8.4
CVSS String	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported	Internal
Customer Notified Date	01/04/2021
Affected Chipsets*	APQ8017, APQ8037, APQ8053, APQ8064AU, APQ8096AU, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, FSM10055, FSM10056, MDM9205, MDM9640, MDM9650, MDM9655, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, PM8937, QCA4004, QCA4020, QCA6174A, QCA6175A, QCA6234, QCA6320, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6694, QCA6694AU, QCA6696, QCA8337, QCA9377, QCA9379, QCM2290, QCM4290, QCM6125, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QSM8250, QSM8350, Qualcomm215, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SC8180X+SDX55, SD 455, SD 636, SD 675, SD 8C, SD 8CX, SD429, SD439, SD450, SD460, SD480, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD712, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD820, SD821, SD835, SD850, SD855, SD865 5G, SD870, SD888 5G, SDA429W, SDM429W, SDM630, SDX24, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250P, SM7325P, WCD9306, WCD9335, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-1890

CVE ID	CVE-2021-1890
Title	Improper Restrictions of Operations within the Bounds of a Memory Buffer in Trusted Application
Description	Improper length check of public exponent in RSA import key function could cause memory corruption.
Technology Area	HLOS
Vulnerability Type	CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector	Local
Security Rating	Critical
CVSS Rating	High
CVSS Score	8.4
CVSS String	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported	Internal
Customer Notified Date	01/04/2021
Affected Chipsets*	APQ8017, APQ8037, APQ8053, APQ8064AU, APQ8096AU, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, FSM10055, FSM10056, MDM9205, MDM9640, MDM9650, MDM9655, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, PM8937, QCA4004, QCA4020, QCA6174A, QCA6175A, QCA6234, QCA6320, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6694, QCA6694AU, QCA6696, QCA8337, QCA9377, QCA9379, QCM2290, QCM4290, QCM6125, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QSM8250, QSM8350, Qualcomm215, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SC8180X+SDX55, SD 455, SD 636, SD 675, SD 8C, SD 8CX, SD429, SD439, SD450, SD460, SD480, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD712, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD820, SD821, SD835, SD850, SD855, SD865 5G, SD870, SD888 5G, SDA429W, SDM429W, SDM630, SDX24, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250P, SM7325P, WCD9306, WCD9335, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-1887

CVE ID	CVE-2021-1887
Title	Reachable Assertion in WLAN
Description	An assertion can be reached in the WLAN subsystem while using the Wi-Fi Fine Timing Measurement protocol
Technology Area	WLAN Firmware
Vulnerability Type	CWE-617 Reachable Assertion
Access Vector	Remote
Security Rating	High
CVSS Rating	High
CVSS Score	7.5
CVSS String	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	08/06/2020
Customer Notified Date	04/05/2021
Affected Chipsets*	AR7420, AR9380, CSR8811, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ8064, IPQ8065, IPQ8069, IPQ8074, QCA6310, QCA6320, QCA6335, QCA6428, QCA6438, QCA7500, QCA7520, QCA7550, QCA9531, QCA9558, QCA9561, QCA9563, QCA9880, QCA9882, QCA9887, QCA9888, QCA9889, QCA9896, QCA9898, QCA9980, QCA9984, QCA9990, QCA9992, QCA9994, QCN5024, QCN5054, QCN5501, QCN5502

CVE-2021-1938

CVE ID	CVE-2021-1938
Title	Reachable Assertion in WLAN
Description	Possible assertion due to improper verification while creating and deleting the peer
Technology Area	WLAN Firmware
Vulnerability Type	CWE-617 Reachable Assertion
Access Vector	Remote
Security Rating	High
CVSS Rating	High
CVSS Score	7.5
CVSS String	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	11/20/2020
Customer Notified Date	04/05/2021
Affected Chipsets*	AQT1000, AR8031, AR8035, AR9380, CSR8811, CSRA6620, CSRA6640, CSRB31024, FSM10055, IPQ4018, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6005, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8069, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, PMP8074, QCA1062, QCA1064, QCA2062, QCA2064, QCA2065, QCA2066, QCA4024, QCA6174A, QCA6175A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6428, QCA6430, QCA6431, QCA6436, QCA6438, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8072, QCA8075, QCA8081, QCA8337, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9990, QCA9992, QCA9994, QCM2290, QCM4290, QCM6125, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5121, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5550, QCN6023, QCN6024, QCN6122, QCN7605, QCN7606, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QSM8350, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SC8180X+SDX55, SC8280XP, SD 455, SD 636, SD 675, SD 8C, SD 8CX, SD460, SD480, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD710, SD712, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD835, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDM830, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250P, SM7325P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6745, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WHS9410, WSA8810, WSA8815, WSA8830, WSA8835

CVE-2021-1953

CVE ID	CVE-2021-1953
Title	Reachable Assertion in WLAN
Description	Improper handling of received malformed FTMR request frame can lead to reachable assertion while responding with FTM1 frame
Technology Area	WLAN Firmware
Vulnerability Type	CWE-617 Reachable Assertion
Access Vector	Remote
Security Rating	High
CVSS Rating	High
CVSS Score	7.5
CVSS String	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	12/16/2020
Customer Notified Date	04/05/2021
Affected Chipsets*	AQT1000, AR8031, AR8035, AR9380, CSR8811, CSRA6620, CSRA6640, CSRB31024, IPQ4018, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6005, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8069, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, PMP8074, QCA1062, QCA1064, QCA2062, QCA2064, QCA2065, QCA2066, QCA4024, QCA6174A, QCA6175A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6428, QCA6430, QCA6431, QCA6436, QCA6438, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8072, QCA8075, QCA8081, QCA8337, QCA9377, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9990, QCA9992, QCA9994, QCM2290, QCM6125, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5121, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5550, QCN6023, QCN6024, QCN6122, QCN7605, QCN7606, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS2290, QCS405, QCS410, QCS603, QCS605, QCS610, QCS6125, QSM8350, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SC8180X+SDX55, SC8280XP, SD 455, SD 636, SD 675, SD 8C, SD 8CX, SD460, SD480, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD710, SD712, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD835, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDM830, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250P, SM7325P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6745, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WHS9410, WSA8810, WSA8815, WSA8830, WSA8835

CVE-2021-1896

CVE ID	CVE-2021-1896
Title	Weak Configuration in WLAN
Description	Weak configuration in WLAN could cause forwarding of unencrypted packets from one client to another
Technology Area	WLAN Windows Host
Vulnerability Type	CWE-16 Configuration
Access Vector	Remote
Security Rating	Medium
CVSS Rating	Medium
CVSS Score	4.3
CVSS String	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Date Reported	07/09/2020
Customer Notified Date	01/04/2021
Affected Chipsets*	AQT1000, QCA6164, QCA6174, QCA6174A, QCA6420, QCA6430, QCA9377, SC8180X+SDX55, SD 8C, SD 8CX, SD7c, SD850, SM6250, WCD9340, WCD9341, WCN3990, WCN3991, WCN3998, WCN6850, WSA8810, WSA8815

*The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at www.qualcomm.com/support .

Open Source Software Issues

The tables below summarize security vulnerabilities that were addressed through open source software

This table lists high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID	Security Rating	CVSS Rating	Technology Area	Date Reported
CVE-2021-1965	Critical	Critical	WLAN Host Communication	01/06/2021
CVE-2021-1907	High	High	WLAN HOST	10/23/2020
CVE-2021-1931	High	Medium	Boot	11/09/2020
CVE-2021-1940	High	High	NPU	11/22/2020
CVE-2021-1943	High	High	WLAN Host Communication	11/26/2020
CVE-2021-1945	High	High	WLAN Host Communication	11/27/2020
CVE-2021-1954	High	High	WLAN Host Communication	11/26/2020
CVE-2021-1955	High	High	WLAN HOST	10/16/2020
CVE-2021-1964	High	High	WLAN Host Communication	12/10/2020
CVE-2021-1970	High	High	WLAN HOST	01/04/2021

This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

Public ID	Security Rating	CVSS Rating	Technology Area	Date Reported
CVE-2021-1897	Medium	Medium	Boot	09/07/2020
CVE-2021-1898	Medium	Medium	Boot	09/07/2020
CVE-2021-1899	Medium	Medium	Boot	09/08/2020
CVE-2021-1901	Medium	Medium	Boot	09/09/2020

CVE-2021-1965

CVE ID	CVE-2021-1965
Title	Buffer Copy Without Checking Size of Input in WLAN
Description	Possible buffer overflow due to lack of parameter length check during MBSSID scan IE parse
Technology Area	WLAN Host Communication
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Remote
Security Rating	Critical
CVSS Rating	Critical
CVSS Score	9.8
CVSS String	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported	01/06/2021
Customer Notified Date	04/05/2021
Affected Chipsets*	AQT1000, AR9380, CSR8811, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6005, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071A, IPQ8072A, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, PMP8074, QCA4024, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5121, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5550, QCN6023, QCN6024, QCN6122, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD 675, SD675, SD678, SD720G, SD730, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX50M, SDX55, SDX55M, SDXR2 5G, SM6250, SM7325P, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**	https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=a426e5e1668fff3dfe8bde777a9340cbc129f8df

CVE-2021-1907

CVE ID	CVE-2021-1907
Title	Reachable Assertion in WLAN
Description	Possible buffer overflow due to lack of length check in BA request
Technology Area	WLAN HOST
Vulnerability Type	CWE-617 Reachable Assertion
Access Vector	Remote
Security Rating	High
CVSS Rating	High
CVSS Score	7.5
CVSS String	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	10/23/2020
Customer Notified Date	04/05/2021
Affected Chipsets*	APQ8053, CSRB31024, MSM8953, QCA6175A, QCA6390, QCA6391, QCA6426, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCM4290, QCM6125, QCS4290, QCS6125, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 636, SD480, SD660, SD665, SD670, SD710, SD765, SD765G, SD768G, SD778G, SD780G, SD835, SD845, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX55, SDX55M, SDXR2 5G, SM7250P, SM7325P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3615, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=617c89ade15899cdffa76fc8bd5e1f491137a519

CVE-2021-1931

CVE ID	CVE-2021-1931
Title	Buffer Copy Without Checking Size of Input in Boot
Description	Possible buffer overflow due to improper validation of buffer length while processing fast boot commands
Technology Area	Boot
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector	Local
Security Rating	High
CVSS Rating	Medium
CVSS Score	6.7
CVSS String	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Date Reported	11/09/2020
Customer Notified Date	02/01/2021
Affected Chipsets*	AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, FSM10055, FSM10056, QCA6174A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595AU, QCA6696, QCA8337, QCA9377, QCM2290, QCM4290, QCM6125, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, SA415M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 636, SD 675, SD 8C, SD 8CX, SD460, SD480, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD710, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD835, SD845, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDM830, SDX24, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250P, SM7325P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**	https://source.codeaurora.org/quic/le/abl/tianocore/edk2/commit/?id=0727b7b0d4cafb091397b76f75a3a4f66852a361

CVE-2021-1940

CVE ID	CVE-2021-1940
Title	Use After Free in Neural Processing
Description	Use after free can occur due to improper handling of response from firmware
Technology Area	NPU
Vulnerability Type	CWE-416 Use After Free
Access Vector	Local
Security Rating	High
CVSS Rating	High
CVSS Score	8.4
CVSS String	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported	11/22/2020
Customer Notified Date	04/05/2021
Affected Chipsets*	AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, FSM10055, FSM10056, QCA6391, QCA6420, QCA6430, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595AU, QCA6696, QCA8337, QCM6125, QCS405, QCS410, QCS610, QCS6125, SA415M, SA515M, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SA8195P, SD 675, SD 8C, SD 8CX, SD660, SD665, SD675, SD678, SD720G, SD730, SD855, SDA429W, SDX50M, SDX55, SDX55M, SM6250, SM6250P, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCN3610, WCN3620, WCN3660B, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WSA8810, WSA8815
Patch**	https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=8001ee96d68c2ba22f7eced2f44393f93a3917c0

CVE-2021-1943

CVE ID	CVE-2021-1943
Title	Buffer Over-read in WLAN
Description	Possible buffer out of bound read can occur due to improper validation of TBTT count and length while parsing the beacon response
Technology Area	WLAN Host Communication
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Remote
Security Rating	High
CVSS Rating	High
CVSS Score	7.5
CVSS String	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	11/26/2020
Customer Notified Date	04/05/2021
Affected Chipsets*	APQ8053, AQT1000, AR9380, CSR8811, CSRB31024, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6005, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, MSM8953, PMP8074, QCA4024, QCA6175A, QCA6390, QCA6391, QCA6420, QCA6426, QCA6428, QCA6430, QCA6436, QCA6438, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA9531, QCA9558, QCA9561, QCA9563, QCA9880, QCA9886, QCA9887, QCA9888, QCA9889, QCA9896, QCA9898, QCA9980, QCA9982, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5121, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5500, QCN5502, QCN5550, QCN6023, QCN6024, QCN6122, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 636, SD 675, SD460, SD480, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD710, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD835, SD845, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR2 5G, SM4125, SM6250, SM7250P, SM7325P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3615, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**	https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=67129820f7352fbf96415e632f7cd746bfbc6185

CVE-2021-1945

CVE ID	CVE-2021-1945
Title	Buffer Over-read in WLAN
Description	Possible out of bound read due to lack of length check of Bandwidth-NSS IE
Technology Area	WLAN Host Communication
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Remote
Security Rating	High
CVSS Rating	High
CVSS Score	7.5
CVSS String	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	11/27/2020
Customer Notified Date	04/05/2021
Affected Chipsets*	APQ8053, APQ8064AU, APQ8096AU, AQT1000, AR8031, AR8035, AR9380, CSR8811, CSRA6620, CSRA6640, CSRB31024, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6005, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, MDM9650, MSM8953, MSM8996AU, PMP8074, QCA4024, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6426, QCA6428, QCA6430, QCA6436, QCA6438, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6694, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA8337, QCA9531, QCA9558, QCA9561, QCA9563, QCA9880, QCA9882, QCA9886, QCA9887, QCA9888, QCA9889, QCA9896, QCA9898, QCA9980, QCA9982, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCM2290, QCM4290, QCM6125, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5121, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5500, QCN5502, QCN5550, QCN6023, QCN6024, QCN6122, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS2290, QCS405, QCS410, QCS4290, QCS610, QCS6125, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 636, SD 675, SD 8C, SD 8CX, SD460, SD480, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD710, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD835, SD845, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250P, SM7325P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3615, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**	https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=5338e791d9362d2dc37a30f8445dd4c62be3e382

CVE-2021-1954

CVE ID	CVE-2021-1954
Title	Buffer Over-read in WLAN
Description	Possible buffer over read due to improper validation of data pointer while parsing FILS indication IE
Technology Area	WLAN Host Communication
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Remote
Security Rating	High
CVSS Rating	High
CVSS Score	7.5
CVSS String	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	11/26/2020
Customer Notified Date	04/05/2021
Affected Chipsets*	APQ8053, AQT1000, AR9380, CSR8811, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, MSM8953, PMP8074, QCA4024, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6574, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA9531, QCA9558, QCA9561, QCA9563, QCA9880, QCA9886, QCA9887, QCA9888, QCA9889, QCA9896, QCA9898, QCA9980, QCA9982, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCM4290, QCM6125, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5500, QCN5502, QCN6023, QCN6024, QCN6122, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS4290, QCS6125, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD665, SD675, SD678, SD720G, SD730, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888 5G, SDX50M, SDX55, SDX55M, SDXR2 5G, SM6250, SM7250P, SM7325P, WCD9326, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3615, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**	https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=819a3a588817ca2073cac200d79f5c60f4102964

CVE-2021-1955

CVE ID	CVE-2021-1955
Title	Reachable Assertion in WLAN
Description	Denial of service in SAP case due to improper handling of connections when association is rejected
Technology Area	WLAN HOST
Vulnerability Type	CWE-617 Reachable Assertion
Access Vector	Remote
Security Rating	High
CVSS Rating	High
CVSS Score	7.5
CVSS String	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	10/16/2020
Customer Notified Date	04/05/2021
Affected Chipsets*	APQ8009, APQ8009W, APQ8017, APQ8053, APQ8064AU, APQ8096AU, AQT1000, AR6003, AR8031, AR8035, CSR6030, CSRA6620, CSRA6640, CSRB31024, MDM8215, MDM8215M, MDM8615M, MDM9150, MDM9206, MDM9215, MDM9230, MDM9250, MDM9310, MDM9330, MDM9607, MDM9615, MDM9615M, MDM9626, MDM9628, MDM9630, MDM9640, MDM9650, MSM8909W, MSM8917, MSM8953, MSM8996AU, QCA4020, QCA6174, QCA6174A, QCA6175A, QCA6310, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8337, QCA9367, QCA9377, QCA9379, QCM2290, QCM4290, QCM6125, QCS2290, QCS405, QCS4290, QCS603, QCS605, QCS6125, QET4101, QSW8573, Qualcomm215, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 455, SD 636, SD 675, SD 8C, SD 8CX, SD205, SD210, SD429, SD439, SD450, SD460, SD480, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD710, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD835, SD845, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDM429W, SDM630, SDM830, SDW2500, SDX20, SDX20M, SDX24, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM7250P, SM7325P, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=e3731bc5080eb91349d3adc6aaf6b9f43481d2df https://source.codeaurora.org/quic/le/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=c275fefd8ce11ea9414dcafd54793fdae7caccd1 https://source.codeaurora.org/quic/le/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=55974aef92f38a46d5143a1dc436edf6c2fcc3dd

CVE-2021-1964

CVE ID	CVE-2021-1964
Title	Buffer Over-read in WLAN
Description	Possible buffer over read due to improper validation of IE size while parsing beacon from peer device
Technology Area	WLAN Host Communication
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Remote
Security Rating	High
CVSS Rating	High
CVSS Score	7.5
CVSS String	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	12/10/2020
Customer Notified Date	04/05/2021
Affected Chipsets*	APQ8053, AQT1000, AR8035, AR9380, CSR8811, CSRB31024, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6005, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, MSM8953, PMP8074, QCA4024, QCA6175A, QCA6390, QCA6391, QCA6420, QCA6426, QCA6428, QCA6430, QCA6436, QCA6438, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6694, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA8337, QCA9531, QCA9558, QCA9561, QCA9563, QCA9880, QCA9882, QCA9886, QCA9887, QCA9888, QCA9889, QCA9896, QCA9898, QCA9980, QCA9982, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCM2290, QCM4290, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5121, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5500, QCN5502, QCN5550, QCN6023, QCN6024, QCN6122, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS2290, QCS4290, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 636, SD 675, SD 8C, SD 8CX, SD460, SD480, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD710, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD835, SD845, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR2 5G, SM4125, SM6250, SM7250P, SM7325P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3615, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**	https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=a910e9cb6cde077646c391e206f1fed3a5f58f06

CVE-2021-1970

CVE ID	CVE-2021-1970
Title	Improper Input Validation in WLAN
Description	Possible out of bound read due to lack of length check of FT sub-elements
Technology Area	WLAN HOST
Vulnerability Type	CWE-20 Improper Input Validation
Access Vector	Remote
Security Rating	High
CVSS Rating	High
CVSS Score	7.5
CVSS String	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Date Reported	01/04/2021
Customer Notified Date	04/05/2021
Affected Chipsets*	APQ8053, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, MSM8953, QCA6175A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8337, QCM2290, QCM4290, QCM6125, QCS2290, QCS405, QCS4290, QCS610, QCS6125, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 636, SD 675, SD 8C, SD 8CX, SD460, SD480, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD710, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD835, SD845, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250P, SM7325P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3615, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=7404c2c964712f8888070227d88e573a65969262

CVE-2021-1897

CVE ID	CVE-2021-1897
Title	Buffer Over-read in Boot
Description	Possible Buffer Over-read due to lack of validation of boundary checks when loading splash image
Technology Area	Boot
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Local
Security Rating	Medium
CVSS Rating	Medium
CVSS Score	4.6
CVSS String	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	09/07/2020
Customer Notified Date	01/04/2021
Affected Chipsets*	APQ8009, APQ8009W, APQ8053, AQT1000, MDM9206, MSM8909W, QCA6420, QCA6430, QCA9367, QCA9377, Qualcomm215, SD 675, SD205, SD210, SD675, SD678, SD720G, SD730, SD855, SDA429W, SDX50M, SDX55, SDX55M, SM6250, WCD9326, WCD9330, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680, WCN3680B, WCN3950, WCN3980, WCN3988, WCN3991, WCN3998, WSA8810, WSA8815
Patch**	https://source.codeaurora.org/quic/le/kernel/lk/commit/?id=eab60c6f27ea5b23f77db084f18b104508119b5f

CVE-2021-1898

CVE ID	CVE-2021-1898
Title	Buffer Over-read in Boot
Description	Possible buffer over-read due to incorrect overflow check when loading splash image
Technology Area	Boot
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Local
Security Rating	Medium
CVSS Rating	Medium
CVSS Score	4.6
CVSS String	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	09/07/2020
Customer Notified Date	01/04/2021
Affected Chipsets*	APQ8009, APQ8053, AQT1000, MDM9206, QCA6420, QCA6430, QCA9367, QCA9377, Qualcomm215, SD 675, SD205, SD210, SD675, SD678, SD720G, SD730, SD855, SDA429W, SDX50M, SDX55, SDX55M, SM6250, WCD9326, WCD9330, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680, WCN3680B, WCN3950, WCN3980, WCN3988, WCN3991, WCN3998, WSA8810, WSA8815
Patch**	https://source.codeaurora.org/quic/le/kernel/lk/commit/?id=ce39f484a61a805563fc90eaaf3960be79c471a6

CVE-2021-1899

CVE ID	CVE-2021-1899
Title	Buffer Over-read in Boot
Description	Possible buffer over read due to lack of length check while flashing meta images
Technology Area	Boot
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Local
Security Rating	Medium
CVSS Rating	Medium
CVSS Score	4.6
CVSS String	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	09/08/2020
Customer Notified Date	01/04/2021
Affected Chipsets*	APQ8009W, AQT1000, MSM8909W, QCA4020, QCA6174A, QCA6420, QCA6430, QCA9379, Qualcomm215, SD 675, SD205, SD210, SD675, SD678, SD720G, SD730, SD855, SDA429W, SDM429W, SDX50M, SDX55, SDX55M, SM6250, WCD9326, WCD9341, WCD9370, WCD9375, WCD9380, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680, WCN3680B, WCN3950, WCN3980, WCN3988, WCN3991, WCN3998, WSA8810, WSA8815
Patch**	https://source.codeaurora.org/quic/le/kernel/lk/commit/?id=f713c280f3175b51b8c56d912f4f130cf9ed6b1b

CVE-2021-1901

CVE ID	CVE-2021-1901
Title	Buffer Over-read in Boot
Description	Possible buffer over-read due to lack of length check while flashing meta images
Technology Area	Boot
Vulnerability Type	CWE-126 Buffer Over-read
Access Vector	Local
Security Rating	Medium
CVSS Rating	Medium
CVSS Score	4.6
CVSS String	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported	09/09/2020
Customer Notified Date	01/04/2021
Affected Chipsets*	APQ8009, APQ8053, AQT1000, MDM9206, QCA6420, QCA6430, QCA9367, QCA9377, Qualcomm215, SD 675, SD205, SD210, SD675, SD678, SD720G, SD730, SD855, SDA429W, SDX50M, SDX55, SDX55M, SM6250, WCD9326, WCD9330, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680, WCN3680B, WCN3950, WCN3980, WCN3988, WCN3991, WCN3998, WSA8810, WSA8815
Patch**	https://source.codeaurora.org/quic/le/kernel/lk/commit/?id=21494e19e8496d43f620c44fc94cde9d84c0044c

* The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at www.qualcomm.com/support .

** Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

Consideration of security protections such as SELinux not enforced on some platforms
Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version	Date	Comments
1.0	July 5, 2021	Bulletin Published

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.