March 2020

March 2020 Security Bulletin

Version 1.0

Published: 03/02/2020

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

We have discontinued publication of the open source public bulletin at https://www.codeaurora.org/security-advisories/security-bulletins. Starting from September 2019, we will have one single monthly bulletin listing both open-source and closed-source vulnerabilities

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2019-14026, CVE-2019-14027, CVE-2019-14028, CVE-2019-14083 Peter Park (peterpark)
CVE-2019-14029 Anonymous Researcher
CVE-2019-14072 (avel)
CVE-2019-14095 Etienne Helluy-Lafont Universit´e de Lille

 

Table of Vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2019-10546 Critical WLAN Firmware Internal
CVE-2019-10549 High Data Modem Internal
CVE-2019-10550 High Data Modem Internal
CVE-2019-10552 High Multi-Mode Call Processor Internal
CVE-2019-10553 High Multi-Mode Call Processor Internal
CVE-2019-10554 High Multi-Mode Call Processor Internal
CVE-2019-10577 High Data Modem Internal
CVE-2019-10586 Critical Data Modem Internal
CVE-2019-10587 Critical Data Modem Internal
CVE-2019-10591 High Video Internal
CVE-2019-10593 Critical Data Modem Internal
CVE-2019-10594 Critical Data Modem Internal
CVE-2019-10603 High Data Network Stack & Connectivity Internal
CVE-2019-10604 High DebugTools Internal
CVE-2019-10612 Critical KERNEL Internal
CVE-2019-10616 High SoC Infrastructure Internal
CVE-2019-14000 High Qualcomm IPC Internal
CVE-2019-14015 High Fingerprint Internal
CVE-2019-14026 High WLAN Firmware 06/10/2019
CVE-2019-14027 High WLAN Firmware 06/10/2019
CVE-2019-14028 High WLAN Firmware 06/10/2019
CVE-2019-14030 Critical Core Power SW Internal
CVE-2019-14031 Critical WLAN Firmware Internal
CVE-2019-14045 Critical Video Internal
CVE-2019-14048 High Video Internal
CVE-2019-14050 High Fingerprint 08/01/2019
CVE-2019-14061 High Video Internal
CVE-2019-14071 Critical System Debug Internal
CVE-2019-14081 High WLAN Firmware Internal
CVE-2019-14082 High WLAN Firmware Internal
CVE-2019-14083 Critical WLAN Firmware 05/25/2019
CVE-2019-14085 High WLAN Firmware Internal
CVE-2019-14086 Critical WLAN Firmware Internal
CVE-2019-14095 Critical BTSOC 09/03/2019
CVE-2019-14097 Critical WLAN Firmware Internal
CVE-2019-14098 Critical WLAN Firmware Internal
CVE-2019-2300 High WLAN Firmware Internal
CVE-2019-2311 High WLAN Firmware Internal
CVE-2019-2317 Critical Data Modem Internal

CVE-2019-10546

CVE ID CVE-2019-10546
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overflow can occur in WLAN firmware while parsing beacon/probe_response frames during roaming
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8096, APQ8096AU, IPQ6018, IPQ8074, MDM9607, MDM9640, MDM9650, MSM8996AU, Nicobar, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCS404, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10549

CVE ID CVE-2019-10549
Title Null Pointer Dereference Issue in Modem Data
Description Null pointer dereference issue can happen due to improper validation of CSEQ header response received from network
Technology Area Data Modem
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, Nicobar, QCM2150, QM215, Rennell, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM632, SDX24, SDX55, SM6150, SM7150, SM8150

CVE-2019-10550

CVE ID CVE-2019-10550
Title Buffer Over-read Issue in Modem Data
Description Buffer Over-read when UE is trying to process the message received form the network without zero termination
Technology Area Data Modem
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* MDM9206, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10552

CVE ID CVE-2019-10552
Title Buffer Over-read Issue in Multi-mode Call Processor
Description Multiple Buffer Over-read issue can happen due to improper length checks while decoding Service Reject/RAU Reject/PTMSI Realloc cmd
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10553

CVE ID CVE-2019-10553
Title Buffer Over-read Issue in Multi-mode Call processor
Description Multiple Read overflows due to improper length checks while decoding authentication in Cs domain/RAU Reject and TC cmd
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10554

CVE ID CVE-2019-10554
Title Buffer Over-read Issue in Multi Mode Call Processor
Description Multiple Read overflows issue due to improper length check while decoding Identity Request in CSdomain/Authentication Reject in CS domain/ PRAU accept/while logging DL message
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10577

CVE ID CVE-2019-10577
Title Buffer Over-read Issue in Modem Data
Description Improper input validation while processing SIP URI received from the network will lead to buffer over-read and then to denial of service
Technology Area Data Modem
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10586

CVE ID CVE-2019-10586
Title Buffer Copy Without Checking Size of Input in Data Modem
Description Filling media attribute tag names without validating the destination buffer size which can result in the buffer overflow
Technology Area Data Modem
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10587

CVE ID CVE-2019-10587
Title Buffer Copy Without Checking Size of Input in Data Modem
Description Possible Stack overflow can occur when processing a large SDP body or non standard SDP body without right delimiters
Technology Area Data Modem
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10591

CVE ID CVE-2019-10591
Title Null Pointer Dereference Issue in Video
Description Null pointer dereference can happen when parsing udta atom which is non-standard and having invalid depth
Technology Area Video
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8939, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10593

CVE ID CVE-2019-10593
Title Improper Validation of Array Index in Data Modem
Description Buffer overflow can occur when processing non standard SDP video Image attribute parameter in a VILTE\VOLTE call
Technology Area Data Modem
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10594

CVE ID CVE-2019-10594
Title Improper Validation of Array Index in Data Modem
Description Stack overflow can occur when SDP is received with multiple payload types in the FMTP attribute of a video M line
Technology Area Data Modem
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10603

CVE ID CVE-2019-10603
Title Use After Free Issue in HLOS Data
Description Use after free issue occurs If the real device interface goes down and a route lookup is performed while sending a raw IPv6 message
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8917, MSM8937, MSM8996AU, QCN7605, SDA845, SDM630, SDM636, SDM660, SDX20, SXR1130

CVE-2019-10604

CVE ID CVE-2019-10604
Title Buffer Copy Without Checking Size of Input in Debug Tools
Description Possibility of heap-buffer-overflow during last iteration of loop while populating image version information in diag command response packet,
Technology Area DebugTools
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8053, APQ8096AU, APQ8098, MDM9607, MDM9640, MSM8909W, MSM8917, MSM8953, Nicobar, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDM429, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10612

CVE ID CVE-2019-10612
Title Untrusted Pointer Dereference Issue in Kernel
Description UTCB object has a function pointer called by the reaper to deallocate its memory resources and this address can potentially be corrupted by stack overflow
Technology Area KERNEL
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* MDM9205, MDM9650, QCS605, SA6155P, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10616

CVE ID CVE-2019-10616
Title Null Pointer Dereference Issue in Trustzone
Description Possibility of null pointer access if the SPDM commands are executed in the non-standard way in TZ.
Technology Area SoC Infrastructure
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8016, MDM9150, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8998, SA6155P, SDX24

CVE-2019-14000

CVE ID CVE-2019-14000
Title Information Exposure Issue in Qualcomm IPC
Description Lack of check that the RX FIFO write index that is read from shared RAM is less than the FIFO size results into memory corruption and potential information leakage
Technology Area Qualcomm IPC
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9150, MDM9205, MDM9206, MDM9607, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCS404, QCS405, QCS605, QM215, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14015

CVE ID CVE-2019-14015
Title Buffer Copy Without Checking Size of Input in Biometrics
Description A stack-based buffer overflow exists in the initialization of the identification stage due to lack of check on the number of templates provided.
Technology Area Fingerprint
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8096, APQ8096AU, MDM9205, MSM8996, MSM8996AU, Nicobar, QCS404, QCS405, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14026

CVE ID CVE-2019-14026
Title Buffer Copy without checking size of input in WLAN
Description Possible buffer overflow in WLAN WMI handler due to lack of ssid length check when copying data
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported 06/10/2019
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, Nicobar, QCA6174A, QCA6574, QCA6574AU, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14027

CVE ID CVE-2019-14027
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overflow due to lack of upper bound check on channel length which is used for a loop.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported 06/10/2019
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8098, IPQ6018, IPQ8074, MSM8998, Nicobar, QCA8081, QCN7605, QCS404, QCS605, Rennell, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14028

CVE ID CVE-2019-14028
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overwrite during memcpy due to lack of check on SSID length validation
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported 06/10/2019
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS404, QCS405, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14030

CVE ID CVE-2019-14030
Title Buffer Copy Without Checking Size of Input in TrustZone
Description The size of a buffer is determined by addition and multiplications operations that have the potential to overflow due to lack of bound check
Technology Area Core Power SW
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* MDM9205, QCS404, Rennell, SC8180X, SDM845, SDM850, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2019-14031

CVE ID CVE-2019-14031
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overflow can occur while parsing RSN IE containing list of PMK ID`s which are more than the buffer size
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCN7605, QCS405, QCS605, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14045

CVE ID CVE-2019-14045
Title Buffer Copy Without Checking Size of Input in Video
Description Possible buffer overflow while processing clientlog and serverlog due to lack of validation of data received in logs
Technology Area Video
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8096AU, QCS605, SDM439, SM8150, SXR1130

CVE-2019-14048

CVE ID CVE-2019-14048
Title Buffer Copy Without Checking Size of Input in Video
Description Possible out of bound memory access while playing a crafted clip in media player
Technology Area Video
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* SM8150

CVE-2019-14050

CVE ID CVE-2019-14050
Title Integer Overflow to Buffer Overflow Issue in Biometrics
Description Out-of-bound writes occurs due to lack of check of buffer size will cause buffer overflow only in 32bit architecture.
Technology Area Fingerprint
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 08/01/2019
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, MDM9150, MDM9205, MDM9607, MDM9650, MSM8905, Nicobar, QCS405, QCS605, Rennell, SA6155P, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14061

CVE ID CVE-2019-14061
Title Buffer Over-read Issue in Video
Description Null-pointer dereference can occur while accessing the segment element info when it is not allocated and assigned
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, Nicobar, QCS405, QCS605, QM215, Rennell, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14071

CVE ID CVE-2019-14071
Title Improper Access Control Issue in TrustZone
Description Compromised reset handler may bypass access control due to AC config is being reset if debug path is enabled to collect secure or non-secure ram dumps
Technology Area System Debug
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8017, APQ8053, APQ8096, APQ8096AU, IPQ6018, MDM9205, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS404, QCS405, QCS605, QM215, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14081

CVE ID CVE-2019-14081
Title Buffer Over-read Issue in WLAN
Description Buffer Over-read when WLAN module gets a WMI message for SAR limits with invalid number of limits to be enforced
Technology Area WLAN Firmware
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8098, IPQ8074, MSM8998, QCA8081, QCN7605, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM8150, SXR1130

CVE-2019-14082

CVE ID CVE-2019-14082
Title Buffer Over-read Issue in WLAN
Description Potential buffer over-read due to lack of bound check of memory offset passed in WLAN firmware
Technology Area WLAN Firmware
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* IPQ8074, MDM9206, MDM9207C, MDM9607, QCN7605, SM8150

CVE-2019-14083

CVE ID CVE-2019-14083
Title Buffer Copy Without Checking Size of Input in WLAN
Description While parsing Service Descriptor Extended Attribute received as part of SDF frame, there is a possibility that incorrect length is specified in the attribute length field of extended SSI which can lead to integer underflow
Technology Area WLAN Firmware
Vulnerability Type CWE-191 Integer Underflow (Wrap or Wraparound)
Access Vector Remote
Security Rating Critical
Date Reported 05/25/2019
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8053, APQ8096, APQ8098, IPQ6018, IPQ8074, MSM8996AU, MSM8998, Nicobar, QCA6174A, QCA6390, QCA6574AU, QCA8081, QCA9377, QCA9379, QCN7605, QCS404, QCS405, QCS605, Rennell, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14085

CVE ID CVE-2019-14085
Title Integer Underflow Issue in WLAN
Description Possible Integer underflow in WLAN function due to lack of check of data received from user side
Technology Area WLAN Firmware
Vulnerability Type CWE-191 Integer Underflow (Wrap or Wraparound)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* QCN7605, QCS605, SDA845, SDM670, SDM710, SDM845, SDM850, SM8150, SXR1130

CVE-2019-14086

CVE ID CVE-2019-14086
Title Buffer Copy Without Checking Size of Input in WLAN
Description Possible integer overflow while checking the length of frame which is a 32 bit integer and is added to another 32 bit integer which can lead to unexpected result during the check
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8098, MDM9607, MSM8998, QCA6584, QCN7605, QCS605, SDA660, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14095

CVE ID CVE-2019-14095
Title Buffer Copy Without Checking Size of input in Bluetooth
Description Buffer overflow occurs while processing LMP packet in which name length parameter exceeds value specified in BT-specification
Technology Area BTSOC
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported 09/03/2019
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8016, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA6174A, QCA6390, QCA6574AU, QCA9377, QCA9379, QCA9886, QCM2150, QCN7605, QCS404, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14097

CVE ID CVE-2019-14097
Title Buffer Copy without checking size of input in WLAN
Description Possible buffer overflow in WLAN Parser due to lack of length check when copying data
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9607, MDM9640, MDM9650, MSM8996AU, MSM8998, Nicobar, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCN7605, QCS405, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14098

CVE ID CVE-2019-14098
Title Buffer Copy Without Checking Size of Input in WLAN
Description Possible buffer overflow in data offload handler due to lack of check of keydata length when copying data
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096, APQ8096AU, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996AU, Nicobar, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9379, QCA9886, QCS405, QCS605, Rennell, SA6155P, SC8180X, SDA660, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-2300

CVE ID CVE-2019-2300
Title Buffer Copy Without Checking Size of Input in WLAN
Description Possible buffer overflow in WLAN handler due to lack of validation of destination buffer size before copying into it
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8098, IPQ8074, MDM9206, MDM9207C, MDM9607, MSM8996, MSM8996AU, MSM8998, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCA9886, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130

CVE-2019-2311

CVE ID CVE-2019-2311
Title Buffer Copy Without Checking Size of Input in WLAN
Description Possible buffer overflow in WLAN handler due to lack of validation of destination buffer size before copying it
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 10/07/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8996, MSM8996AU, MSM8998, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9886, QCS605, SA6155P, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130

CVE-2019-2317

CVE ID CVE-2019-2317
Title Use of Insufficiently Random Values in Data Modem
Description The secret key used to make the Initial Sequence Number in the TCP SYN packet could be brute forced and therefore can be predicted
Technology Area Data Modem
Vulnerability Type CWE-330 Use of Insufficiently Random Values
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 06/03/2019
Affected Chipsets* MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, Nicobar, QCM2150, QM215, SC8180X, SDM429, SDM439, SDM450, SDM632, SDX24, SDX55, SM6150, SM7150, SM8150

* Data is generated only at the time of bulletin creation

This table summarizes security vulnerabilities that were addressed through open source software located at the corresponding open source project links

Table of Vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2018-11838 High WLAN HOST Internal
CVE-2019-10526 High WLAN HOST Internal
CVE-2019-10569 High Audio Internal
CVE-2019-14029 High Graphics 09/10/2019
CVE-2019-14032 High Audio Internal
CVE-2019-14068 High Audio Internal
CVE-2019-14072 High Graphics 08/07/2019
CVE-2019-14079 High Connectivity 09/04/2019

CVE-2018-11838

CVE ID CVE-2018-11838
Title Double Free issue in WLAN
Description Possible double free issue in WLAN due to lack of checking memory free condition.
Technology Area WLAN HOST
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8053, MDM9640, SDA660, SDM636, SDM660, SDX20
Patch*

CVE-2019-10526

CVE ID CVE-2019-10526
Title Improper Validation of Array Index in WLAN
Description Out of bound write in WLAN driver due to NULL character not properly placed after SSID name
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS405, QCS605, SC8180X, SDA845, SDM450, SDX20, SDX24, SDX55, SXR1130
Patch*

CVE-2019-10569

CVE ID CVE-2019-10569
Title Stack Based Buffer Overflow Issue in Audio
Description Stack buffer overflow due to instance id is misplaced inside definition of hardware accelerated effects in makefile
Technology Area Audio
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8053, APQ8098, MDM9607, MDM9640, MSM8998, QCS605, SC8180X, SDM439, SDM630, SDM636, SDM660, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130
Patch*

CVE-2019-14029

CVE ID CVE-2019-14029
Title Use After Free Issue in Graphics
Description Use-after-free in graphics module due to destroying already queued syncobj in error case
Technology Area Graphics
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 09/10/2019
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, APQ8098, MDM9607, MSM8909W, MSM8953, MSM8996AU, Nicobar, QCS405, QCS605, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-14032

CVE ID CVE-2019-14032
Title Use After Free Issue in Audio
Description Memory use after free issue in audio due to lack of resource control
Technology Area Audio
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8953, MSM8996AU, Nicobar, QCS405, QCS605, Rennell, SA6155P, Saipan, SC8180X, SDA845, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-14068

CVE ID CVE-2019-14068
Title Buffer Copy Without Checking Size of Input in Audio
Description Out of bound access in msm routing due to lack of check of size before accessing
Technology Area Audio
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, MDM9607, MSM8905, MSM8909W, Nicobar, QCS405, QCS605, Rennell, Saipan, SDM429W, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-14072

CVE ID CVE-2019-14072
Title Use After Free Issue in Linux Graphics
Description Unhandled paging request is observed due to dereferencing an already freed object because of race condition between sparse free and sparse bind ioctls which access the same physical entry
Technology Area Graphics
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 08/07/2019
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8096AU, APQ8098, MDM9607, MSM8909W, MSM8939, MSM8953, MSM8996AU, Nicobar, QCS405, QCS605, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-14079

CVE ID CVE-2019-14079
Title Use of uninitialized Variable in USB Connectivity
Description Access to the uninitialized variable when the driver tries to unmap the dma buffer of a request which was never mapped in the first place leading to kernel failure
Technology Area Connectivity
Vulnerability Type CWE-457 Use of Uninitialized Variable
Access Vector Local
Security Rating High
Date Reported 09/04/2019
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8053, MDM9607, MDM9640, MSM8909W, MSM8953, QCA6574AU, QCS605, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SM8150, SXR1130
Patch*

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

 

Version History

Version Date Comments
1.0 March 2, 2020 Bulletin Published

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

©2020 Qualcomm Technologies, Inc. and/or its affiliated companies.

References to "Qualcomm" may mean Qualcomm Incorporated, or subsidiaries or business units within the Qualcomm corporate structure, as applicable.

Qualcomm Incorporated includes Qualcomm's licensing business, QTL, and the vast majority of its patent portfolio. Qualcomm Technologies, Inc., a wholly-owned subsidiary of Qualcomm Incorporated, operates, along with its subsidiaries, substantially all of Qualcomm's engineering, research and development functions, and substantially all of its products and services businesses. Qualcomm products referenced on this page are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Materials that are as of a specific date, including but not limited to press releases, presentations, blog posts and webcasts, may have been superseded by subsequent events or disclosures.

Nothing in these materials is an offer to sell any of the components or devices referenced herein.