This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.
Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.
We have discontinued publication of the open source public bulletin at https://www.codeaurora.org/security-advisories/security-bulletins. Starting from September 2019, we will have one single monthly bulletin listing both open-source and closed-source vulnerabilities
We would like to thank these researchers for their contributions in reporting these issues to us.
CVE-2019-14026, CVE-2019-14027, CVE-2019-14028, CVE-2019-14083 | Peter Park (peterpark) |
CVE-2019-14029 | Anonymous Researcher |
CVE-2019-14072 | (avel) |
CVE-2019-14095 | Etienne Helluy-Lafont Universit´e de Lille |
Public ID | Security Rating | Technology Area | Date Reported |
CVE-2019-10546 | Critical | WLAN Firmware | Internal |
CVE-2019-10549 | High | Data Modem | Internal |
CVE-2019-10550 | High | Data Modem | Internal |
CVE-2019-10552 | High | Multi-Mode Call Processor | Internal |
CVE-2019-10553 | High | Multi-Mode Call Processor | Internal |
CVE-2019-10554 | High | Multi-Mode Call Processor | Internal |
CVE-2019-10577 | High | Data Modem | Internal |
CVE-2019-10586 | Critical | Data Modem | Internal |
CVE-2019-10587 | Critical | Data Modem | Internal |
CVE-2019-10591 | High | Video | Internal |
CVE-2019-10593 | Critical | Data Modem | Internal |
CVE-2019-10594 | Critical | Data Modem | Internal |
CVE-2019-10603 | High | Data Network Stack & Connectivity | Internal |
CVE-2019-10604 | High | DebugTools | Internal |
CVE-2019-10612 | Critical | KERNEL | Internal |
CVE-2019-10616 | High | SoC Infrastructure | Internal |
CVE-2019-14000 | High | Qualcomm IPC | Internal |
CVE-2019-14015 | High | Fingerprint | Internal |
CVE-2019-14026 | High | WLAN Firmware | 06/10/2019 |
CVE-2019-14027 | High | WLAN Firmware | 06/10/2019 |
CVE-2019-14028 | High | WLAN Firmware | 06/10/2019 |
CVE-2019-14030 | Critical | Core Power SW | Internal |
CVE-2019-14031 | Critical | WLAN Firmware | Internal |
CVE-2019-14045 | Critical | Video | Internal |
CVE-2019-14048 | High | Video | Internal |
CVE-2019-14050 | High | Fingerprint | 08/01/2019 |
CVE-2019-14061 | High | Video | Internal |
CVE-2019-14071 | Critical | System Debug | Internal |
CVE-2019-14081 | High | WLAN Firmware | Internal |
CVE-2019-14082 | High | WLAN Firmware | Internal |
CVE-2019-14083 | Critical | WLAN Firmware | 05/25/2019 |
CVE-2019-14085 | High | WLAN Firmware | Internal |
CVE-2019-14086 | Critical | WLAN Firmware | Internal |
CVE-2019-14095 | Critical | BTSOC | 09/03/2019 |
CVE-2019-14097 | Critical | WLAN Firmware | Internal |
CVE-2019-14098 | Critical | WLAN Firmware | Internal |
CVE-2019-2300 | High | WLAN Firmware | Internal |
CVE-2019-2311 | High | WLAN Firmware | Internal |
CVE-2019-2317 | Critical | Data Modem | Internal |
CVE ID | CVE-2019-10546 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | Buffer overflow can occur in WLAN firmware while parsing beacon/probe_response frames during roaming |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8096, APQ8096AU, IPQ6018, IPQ8074, MDM9607, MDM9640, MDM9650, MSM8996AU, Nicobar, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCS404, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-10549 |
Title | Null Pointer Dereference Issue in Modem Data |
Description | Null pointer dereference issue can happen due to improper validation of CSEQ header response received from network |
Technology Area | Data Modem |
Vulnerability Type | CWE-476 NULL Pointer Dereference |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, Nicobar, QCM2150, QM215, Rennell, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM632, SDX24, SDX55, SM6150, SM7150, SM8150 |
CVE ID | CVE-2019-10550 |
Title | Buffer Over-read Issue in Modem Data |
Description | Buffer Over-read when UE is trying to process the message received form the network without zero termination |
Technology Area | Data Modem |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | MDM9206, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-10552 |
Title | Buffer Over-read Issue in Multi-mode Call Processor |
Description | Multiple Buffer Over-read issue can happen due to improper length checks while decoding Service Reject/RAU Reject/PTMSI Realloc cmd |
Technology Area | Multi-Mode Call Processor |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-10553 |
Title | Buffer Over-read Issue in Multi-mode Call processor |
Description | Multiple Read overflows due to improper length checks while decoding authentication in Cs domain/RAU Reject and TC cmd |
Technology Area | Multi-Mode Call Processor |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-10554 |
Title | Buffer Over-read Issue in Multi Mode Call Processor |
Description | Multiple Read overflows issue due to improper length check while decoding Identity Request in CSdomain/Authentication Reject in CS domain/ PRAU accept/while logging DL message |
Technology Area | Multi-Mode Call Processor |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-10577 |
Title | Buffer Over-read Issue in Modem Data |
Description | Improper input validation while processing SIP URI received from the network will lead to buffer over-read and then to denial of service |
Technology Area | Data Modem |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-10586 |
Title | Buffer Copy Without Checking Size of Input in Data Modem |
Description | Filling media attribute tag names without validating the destination buffer size which can result in the buffer overflow |
Technology Area | Data Modem |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-10587 |
Title | Buffer Copy Without Checking Size of Input in Data Modem |
Description | Possible Stack overflow can occur when processing a large SDP body or non standard SDP body without right delimiters |
Technology Area | Data Modem |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-10591 |
Title | Null Pointer Dereference Issue in Video |
Description | Null pointer dereference can happen when parsing udta atom which is non-standard and having invalid depth |
Technology Area | Video |
Vulnerability Type | CWE-129 Improper Validation of Array Index |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8939, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-10593 |
Title | Improper Validation of Array Index in Data Modem |
Description | Buffer overflow can occur when processing non standard SDP video Image attribute parameter in a VILTE\VOLTE call |
Technology Area | Data Modem |
Vulnerability Type | CWE-129 Improper Validation of Array Index |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-10594 |
Title | Improper Validation of Array Index in Data Modem |
Description | Stack overflow can occur when SDP is received with multiple payload types in the FMTP attribute of a video M line |
Technology Area | Data Modem |
Vulnerability Type | CWE-129 Improper Validation of Array Index |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-10603 |
Title | Use After Free Issue in HLOS Data |
Description | Use after free issue occurs If the real device interface goes down and a route lookup is performed while sending a raw IPv6 message |
Technology Area | Data Network Stack & Connectivity |
Vulnerability Type | CWE-416 Use After Free |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8917, MSM8937, MSM8996AU, QCN7605, SDA845, SDM630, SDM636, SDM660, SDX20, SXR1130 |
CVE ID | CVE-2019-10604 |
Title | Buffer Copy Without Checking Size of Input in Debug Tools |
Description | Possibility of heap-buffer-overflow during last iteration of loop while populating image version information in diag command response packet, |
Technology Area | DebugTools |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8053, APQ8096AU, APQ8098, MDM9607, MDM9640, MSM8909W, MSM8917, MSM8953, Nicobar, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDM429, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-10612 |
Title | Untrusted Pointer Dereference Issue in Kernel |
Description | UTCB object has a function pointer called by the reaper to deallocate its memory resources and this address can potentially be corrupted by stack overflow |
Technology Area | KERNEL |
Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | MDM9205, MDM9650, QCS605, SA6155P, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-10616 |
Title | Null Pointer Dereference Issue in Trustzone |
Description | Possibility of null pointer access if the SPDM commands are executed in the non-standard way in TZ. |
Technology Area | SoC Infrastructure |
Vulnerability Type | CWE-476 NULL Pointer Dereference |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 09/02/2019 |
Affected Chipsets* | APQ8009, APQ8016, MDM9150, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8998, SA6155P, SDX24 |
CVE ID | CVE-2019-14000 |
Title | Information Exposure Issue in Qualcomm IPC |
Description | Lack of check that the RX FIFO write index that is read from shared RAM is less than the FIFO size results into memory corruption and potential information leakage |
Technology Area | Qualcomm IPC |
Vulnerability Type | CWE-200 Information Exposure |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCS404, QCS405, QCS605, QM215, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-14015 |
Title | Buffer Copy Without Checking Size of Input in Biometrics |
Description | A stack-based buffer overflow exists in the initialization of the identification stage due to lack of check on the number of templates provided. |
Technology Area | Fingerprint |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8096, APQ8096AU, MDM9205, MSM8996, MSM8996AU, Nicobar, QCS404, QCS405, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE ID | CVE-2019-14026 |
Title | Buffer Copy without checking size of input in WLAN |
Description | Possible buffer overflow in WLAN WMI handler due to lack of ssid length check when copying data |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | High |
Date Reported | 06/10/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, Nicobar, QCA6174A, QCA6574, QCA6574AU, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-14027 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | Buffer overflow due to lack of upper bound check on channel length which is used for a loop. |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | High |
Date Reported | 06/10/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8098, IPQ6018, IPQ8074, MSM8998, Nicobar, QCA8081, QCN7605, QCS404, QCS605, Rennell, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE ID | CVE-2019-14028 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | Buffer overwrite during memcpy due to lack of check on SSID length validation |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | High |
Date Reported | 06/10/2019 |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-14030 |
Title | Buffer Copy Without Checking Size of Input in TrustZone |
Description | The size of a buffer is determined by addition and multiplications operations that have the potential to overflow due to lack of bound check |
Technology Area | Core Power SW |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | MDM9205, QCS404, Rennell, SC8180X, SDM845, SDM850, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
CVE ID | CVE-2019-14031 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | Buffer overflow can occur while parsing RSN IE containing list of PMK ID`s which are more than the buffer size |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS405, QCS605, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-14045 |
Title | Buffer Copy Without Checking Size of Input in Video |
Description | Possible buffer overflow while processing clientlog and serverlog due to lack of validation of data received in logs |
Technology Area | Video |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 11/04/2019 |
Affected Chipsets* | APQ8096AU, QCS605, SDM439, SM8150, SXR1130 |
CVE ID | CVE-2019-14048 |
Title | Buffer Copy Without Checking Size of Input in Video |
Description | Possible out of bound memory access while playing a crafted clip in media player |
Technology Area | Video |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | SM8150 |
CVE ID | CVE-2019-14050 |
Title | Integer Overflow to Buffer Overflow Issue in Biometrics |
Description | Out-of-bound writes occurs due to lack of check of buffer size will cause buffer overflow only in 32bit architecture. |
Technology Area | Fingerprint |
Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
Access Vector | Local |
Security Rating | High |
Date Reported | 08/01/2019 |
Customer Notified Date | 11/04/2019 |
Affected Chipsets* | APQ8009, MDM9150, MDM9205, MDM9607, MDM9650, MSM8905, Nicobar, QCS405, QCS605, Rennell, SA6155P, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-14061 |
Title | Buffer Over-read Issue in Video |
Description | Null-pointer dereference can occur while accessing the segment element info when it is not allocated and assigned |
Technology Area | Video |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, Nicobar, QCS405, QCS605, QM215, Rennell, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-14071 |
Title | Improper Access Control Issue in TrustZone |
Description | Compromised reset handler may bypass access control due to AC config is being reset if debug path is enabled to collect secure or non-secure ram dumps |
Technology Area | System Debug |
Vulnerability Type | CWE-284 Improper Access Control |
Access Vector | Local |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8017, APQ8053, APQ8096, APQ8096AU, IPQ6018, MDM9205, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS404, QCS405, QCS605, QM215, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE ID | CVE-2019-14081 |
Title | Buffer Over-read Issue in WLAN |
Description | Buffer Over-read when WLAN module gets a WMI message for SAR limits with invalid number of limits to be enforced |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 11/04/2019 |
Affected Chipsets* | APQ8098, IPQ8074, MSM8998, QCA8081, QCN7605, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM8150, SXR1130 |
CVE ID | CVE-2019-14082 |
Title | Buffer Over-read Issue in WLAN |
Description | Potential buffer over-read due to lack of bound check of memory offset passed in WLAN firmware |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 11/04/2019 |
Affected Chipsets* | IPQ8074, MDM9206, MDM9207C, MDM9607, QCN7605, SM8150 |
CVE ID | CVE-2019-14083 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | While parsing Service Descriptor Extended Attribute received as part of SDF frame, there is a possibility that incorrect length is specified in the attribute length field of extended SSI which can lead to integer underflow |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-191 Integer Underflow (Wrap or Wraparound) |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | 05/25/2019 |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8009, APQ8053, APQ8096, APQ8098, IPQ6018, IPQ8074, MSM8996AU, MSM8998, Nicobar, QCA6174A, QCA6390, QCA6574AU, QCA8081, QCA9377, QCA9379, QCN7605, QCS404, QCS405, QCS605, Rennell, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE ID | CVE-2019-14085 |
Title | Integer Underflow Issue in WLAN |
Description | Possible Integer underflow in WLAN function due to lack of check of data received from user side |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-191 Integer Underflow (Wrap or Wraparound) |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 11/04/2019 |
Affected Chipsets* | QCN7605, QCS605, SDA845, SDM670, SDM710, SDM845, SDM850, SM8150, SXR1130 |
CVE ID | CVE-2019-14086 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | Possible integer overflow while checking the length of frame which is a 32 bit integer and is added to another 32 bit integer which can lead to unexpected result during the check |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8098, MDM9607, MSM8998, QCA6584, QCN7605, QCS605, SDA660, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-14095 |
Title | Buffer Copy Without Checking Size of input in Bluetooth |
Description | Buffer overflow occurs while processing LMP packet in which name length parameter exceeds value specified in BT-specification |
Technology Area | BTSOC |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | 09/03/2019 |
Customer Notified Date | 01/06/2020 |
Affected Chipsets* | APQ8009, APQ8016, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA6174A, QCA6390, QCA6574AU, QCA9377, QCA9379, QCA9886, QCM2150, QCN7605, QCS404, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-14097 |
Title | Buffer Copy without checking size of input in WLAN |
Description | Possible buffer overflow in WLAN Parser due to lack of length check when copying data |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, Nicobar, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCN7605, QCS405, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE ID | CVE-2019-14098 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | Possible buffer overflow in data offload handler due to lack of check of keydata length when copying data |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096, APQ8096AU, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9379, QCA9886, QCS405, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE ID | CVE-2019-2300 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | Possible buffer overflow in WLAN handler due to lack of validation of destination buffer size before copying into it |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8098, IPQ8074, MDM9206, MDM9207C, MDM9607, MSM8996, MSM8996AU, MSM8998, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCA9886, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-2311 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | Possible buffer overflow in WLAN handler due to lack of validation of destination buffer size before copying it |
Technology Area | WLAN Firmware |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/07/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996, MSM8996AU, MSM8998, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCS605, SA6155P, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130 |
CVE ID | CVE-2019-2317 |
Title | Use of Insufficiently Random Values in Data Modem |
Description | The secret key used to make the Initial Sequence Number in the TCP SYN packet could be brute forced and therefore can be predicted |
Technology Area | Data Modem |
Vulnerability Type | CWE-330 Use of Insufficiently Random Values |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 06/03/2019 |
Affected Chipsets* | MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, Nicobar, QCM2150, QM215, SC8180X, SDM429, SDM439, SDM450, SDM632, SDX24, SDX55, SM6150, SM7150, SM8150 |
* Data is generated only at the time of bulletin creation
This table summarizes security vulnerabilities that were addressed through open source software located at the corresponding open source project links
Public ID | Security Rating | Technology Area | Date Reported |
CVE-2018-11838 | High | WLAN HOST | Internal |
CVE-2019-10526 | High | WLAN HOST | Internal |
CVE-2019-10569 | High | Audio | Internal |
CVE-2019-14029 | High | Graphics | 09/10/2019 |
CVE-2019-14032 | High | Audio | Internal |
CVE-2019-14068 | High | Audio | Internal |
CVE-2019-14072 | High | Graphics | 08/07/2019 |
CVE-2019-14079 | High | Connectivity | 09/04/2019 |
CVE ID | CVE-2018-11838 |
Title | Double Free issue in WLAN |
Description | Possible double free issue in WLAN due to lack of checking memory free condition. |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-415 Double Free |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8053, MDM9640, SDA660, SDM636, SDM660, SDX20 |
Patch* |
CVE ID | CVE-2019-10526 |
Title | Improper Validation of Array Index in WLAN |
Description | Out of bound write in WLAN driver due to NULL character not properly placed after SSID name |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-129 Improper Validation of Array Index |
Access Vector | Remote |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS405, QCS605, SC8180X, SDA845, SDM450, SDX20, SDX24, SDX55, SXR1130 |
Patch* |
CVE ID | CVE-2019-10569 |
Title | Stack Based Buffer Overflow Issue in Audio |
Description | Stack buffer overflow due to instance id is misplaced inside definition of hardware accelerated effects in makefile |
Technology Area | Audio |
Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8053, APQ8098, MDM9607, MDM9640, MSM8998, QCS605, SC8180X, SDM439, SDM630, SDM636, SDM660, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
Patch* |
CVE ID | CVE-2019-14029 |
Title | Use After Free Issue in Graphics |
Description | Use-after-free in graphics module due to destroying already queued syncobj in error case |
Technology Area | Graphics |
Vulnerability Type | CWE-416 Use After Free |
Access Vector | Local |
Security Rating | High |
Date Reported | 09/10/2019 |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, APQ8098, MDM9607, MSM8909W, MSM8953, MSM8996AU, Nicobar, QCS405, QCS605, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
Patch* |
CVE ID | CVE-2019-14032 |
Title | Use After Free Issue in Audio |
Description | Memory use after free issue in audio due to lack of resource control |
Technology Area | Audio |
Vulnerability Type | CWE-416 Use After Free |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8953, MSM8996AU, Nicobar, QCS405, QCS605, Rennell, SA6155P, Saipan, SC8180X, SDA845, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
Patch* |
CVE ID | CVE-2019-14068 |
Title | Buffer Copy Without Checking Size of Input in Audio |
Description | Out of bound access in msm routing due to lack of check of size before accessing |
Technology Area | Audio |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, MDM9607, MSM8905, MSM8909W, Nicobar, QCS405, QCS605, Rennell, Saipan, SDM429W, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
Patch* |
CVE ID | CVE-2019-14072 |
Title | Use After Free Issue in Linux Graphics |
Description | Unhandled paging request is observed due to dereferencing an already freed object because of race condition between sparse free and sparse bind ioctls which access the same physical entry |
Technology Area | Graphics |
Vulnerability Type | CWE-416 Use After Free |
Access Vector | Local |
Security Rating | High |
Date Reported | 08/07/2019 |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8009, APQ8096AU, APQ8098, MDM9607, MSM8909W, MSM8939, MSM8953, MSM8996AU, Nicobar, QCS405, QCS605, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
Patch* |
CVE ID | CVE-2019-14079 |
Title | Use of uninitialized Variable in USB Connectivity |
Description | Access to the uninitialized variable when the driver tries to unmap the dma buffer of a request which was never mapped in the first place leading to kernel failure |
Technology Area | Connectivity |
Vulnerability Type | CWE-457 Use of Uninitialized Variable |
Access Vector | Local |
Security Rating | High |
Date Reported | 09/04/2019 |
Customer Notified Date | 12/02/2019 |
Affected Chipsets* | APQ8009, APQ8053, MDM9607, MDM9640, MSM8909W, MSM8953, QCA6574AU, QCS605, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SM8150, SXR1130 |
Patch* |
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
Version | Date | Comments |
1.0 | March 2, 2020 | Bulletin Published |
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.
©2021 Qualcomm Technologies, Inc. and/or its affiliated companies.