October 2019 Security Bulletin
Version 1.1
Published: 10/07/2019
This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.
Please reach out to [email protected] for any questions related to this bulletin.
Announcements
We have discontinued publication of the open source public bulletin at https://www.codeaurora.org/security-advisories/security-bulletins . Starting from September 2019, we will have one single monthly bulletin listing both open-source and closed-source vulnerabilities
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2019-10486, CVE-2019-10503 | Pengfei Ding(丁鹏飞) of Huawei Mobile Security Lab |
| CVE-2019-2302 | Gengjia Chen (chengjia4574) |
| CVE-2019-10566, CVE-2019-2297 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin. |
| CVE-2019-10617 | Michael Bourque |
| CVE-2019-10627 | XiaoyuHe@VARAS |
| CVE-2019-2289 | syssec@kaist |
| CVE-2019-2318 | Wen Guanxing from Pangu LAB |
This table summarizes security vulnerabilities that were addressed through proprietary software
Table of Vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2018-13916 | Critical | KERNEL | Internal |
| CVE-2019-10490 | High | GPS HLOS Driver | Internal |
| CVE-2019-10617 | High | Bluetooth HOST | 4/16/2019 |
| CVE-2019-10627 | Critical | Printer Software | 8/14/2019 |
| CVE-2019-2251 | Critical | Boot | Internal |
| CVE-2019-2271 | Critical | Multi-Mode Call Processor | Internal |
| CVE-2019-2289 | Critical | Multi-Mode Call Processor | 12/27/2018 |
| CVE-2019-2295 | High | System Debug | Internal |
| CVE-2019-2303 | High | GERAN | Internal |
| CVE-2019-2315 | Critical | Content Protection | Internal |
| CVE-2019-2318 | High | QTEE | 12/10/2018 |
| CVE-2019-2329 | Critical | QTEE | Internal |
| CVE-2019-2335 | High | Multi-Mode Call Processor | Internal |
| CVE-2019-2336 | Critical | QTEE | Internal |
| CVE-2019-2339 | Critical | QTEE | Internal |
CVE-2018-13916
| CVE ID | CVE-2018-13916 |
| Title | Improper Validation of Array Index in Kernel |
| Description | Out-of-bounds memory access in Qurt kernel function when using the identifier to access Qurt kernel buffer to retrieve thread data. |
| Technology Area | KERNEL |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 01/07/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8976, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX55, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130 |
CVE-2019-10490
| CVE ID | CVE-2019-10490 |
| Title | Use After Free Issue in GPS Module |
| Description | Use after free issue in Xtra daemon shutdown due to static object instance getting freed from a multiple places |
| Technology Area | GPS HLOS Driver |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS605, SDA660, SDA845, SDM450, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150, SM8250, SXR2130 |
CVE-2019-10617
| CVE ID | CVE-2019-10617 |
| Title | Permissions, Privileges and Access control Issues in Bluetooth Host |
| Description | Low privilege users can access service configuration which contains registry data that admins uses to create or delete entries in the registry |
| Technology Area | Bluetooth HOST |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 4/16/2019 |
| Customer Notified Date | 8/28/2019 |
| Affected Chipsets* | QCA6174_9377 |
CVE-2019-10627
| CVE ID | CVE-2019-10627 |
| Title | Buffer overflow vulnerability in the PostScript- and PDF-compatible interpreters |
| Description | Integer overflow to buffer overflow vulnerability in PostScript image handling code used by the PostScript- and PDF-compatible interpreters due to incorrect buffer size calculation. |
| Technology Area | Printer Software |
| Vulnerability Type | CWE-680 Integer overflow to buffer overflow |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | 8/14/2019 |
| Customer Notified Date | 9/24/2019 |
| Affected Chipsets* | PostScript and PDF printers that use IPS versions prior to 2019.2 |
CVE-2019-2251
| CVE ID | CVE-2019-2251 |
| Title | Buffer Copy Without Checking Size of Input in Boot |
| Description | If a bitmap file is loaded from any un-authenticated source, there is a possibility that the bitmap can potentially cause stack buffer overflow. |
| Technology Area | Boot |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 01/07/2019 |
| Affected Chipsets* | APQ8016, APQ8096AU, APQ8098, MDM9205, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, SA6155P, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-2271
| CVE ID | CVE-2019-2271 |
| Title | Improper Validation of Array Index in NAS |
| Description | Buffer over read can happen while parsing downlink session management OTA messages if network sends un-intended values |
| Technology Area | Multi-Mode Call Processor |
| Vulnerability Type | CWE-126 Buffer Over-read, CWE-129 Improper Validation of Array Index |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 04/01/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130 |
CVE-2019-2289
| CVE ID | CVE-2019-2289 |
| Title | Improper Authentication in NAS |
| Description | Lack of integrity check allows MODEM to accept any NAS messages which can result into authentication bypass of NAS |
| Technology Area | Multi-Mode Call Processor |
| Vulnerability Type | CWE-287 Improper Authentication |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | 12/27/2018 |
| Customer Notified Date | 04/01/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130 |
CVE-2019-2295
| CVE ID | CVE-2019-2295 |
| Title | Untrusted Pointer Dereference in System Debug |
| Description | Information disclosure due to lack of address range check done on the SysDBG buffers in SDI code. |
| Technology Area | System Debug |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, MDM9205, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, Nicobar, QCS404, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, Snapdragon_High_Med_2016, SXR1130 |
CVE-2019-2303
| CVE ID | CVE-2019-2303 |
| Title | Buffer Over-read Issue in GSNDCP Module |
| Description | SNDCP module may access array out side its boundary when it receives malformed XID message. |
| Technology Area | GERAN |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 04/01/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130 |
CVE-2019-2315
| CVE ID | CVE-2019-2315 |
| Title | Permissions, Privileges and Access Controls Issue in Content Protection |
| Description | While invoking the API to copy from fd or local buffer to the secure buffer, Parameters being populated are from non secure environment. |
| Technology Area | Content Protection |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 04/01/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCS404, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, Snapdragon_High_Med_2016, SXR1130, SXR2130 |
CVE-2019-2318
| CVE ID | CVE-2019-2318 |
| Title | Buffer Over-read Issue in QTEE |
| Description | Non Secure Kernel can cause Trustzone to do an arbitrary memory read which will result into DOS |
| Technology Area | QTEE |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 12/10/2018 |
| Customer Notified Date | 04/01/2019 |
| Affected Chipsets* | APQ8017, APQ8053, APQ8096, APQ8096AU, IPQ8074, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, QCA8081, QM215, SDM429, SDM439, SDM450, SDM632, Snapdragon_High_Med_2016 |
CVE-2019-2329
| CVE ID | CVE-2019-2329 |
| Title | Use After Free Issue in QTEE |
| Description | Use after free issue in cleanup routine due to missing pointer sanitization for a failed start of a trusted application. |
| Technology Area | QTEE |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 04/01/2019 |
| Affected Chipsets* | MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM845, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE-2019-2335
| CVE ID | CVE-2019-2335 |
| Title | Loop with Unreachable Exit Condition in NAS |
| Description | While processing Attach Reject message, Valid exit condition is not met resulting into an infinite loop |
| Technology Area | Multi-Mode Call Processor |
| Vulnerability Type | CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 04/01/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130 |
CVE-2019-2336
| CVE ID | CVE-2019-2336 |
| Title | Use After Free Issue in QTEE |
| Description | Subsequent use of the CBO listener may result in further memory corruption due to use after free issue. |
| Technology Area | QTEE |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 04/01/2019 |
| Affected Chipsets* | MDM9205, QCS404, SDX55, SM6150, SM7150, SM8150, SXR2130 |
CVE-2019-2339
| CVE ID | CVE-2019-2339 |
| Title | Improper Restriction of Operation Within the Bounds of Memory in QTEE |
| Description | Out of bound access due to lack of check of whiltelist array size while reading the image elf segments. |
| Technology Area | QTEE |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 04/01/2019 |
| Affected Chipsets* | MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
* Data is generated only at the time of bulletin creation
This table summarizes security vulnerabilities that were addressed through open source software located at the corresponding open source project links
Table of Vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2019-10486 | Medium | Multimedia | 11/21/2018 |
| CVE-2019-10503 | Medium | Multimedia | 12/15/2018 |
| CVE-2019-10535 | High | WLAN HOST | Internal |
| CVE-2019-10563 | Medium | WLAN HOST | Internal |
| CVE-2019-10565 | Medium | Camera Driver | Internal |
| CVE-2019-10566 | Medium | WLAN HOST | 09/05/2018 |
| CVE-2019-2266 | Medium | Camera Driver | Internal |
| CVE-2019-2268 | High | WLAN HOST | Internal |
| CVE-2019-2297 | Medium | WLAN HOST | 10/30/2018 |
| CVE-2019-2302 | Medium | WLAN HOST | 08/15/2018 |
CVE-2019-10486
| CVE ID | CVE-2019-10486 |
| Title | Time-of-check Time-of-use Race Condition in Camera |
| Description | Race condition due to the lack of resource lock which will be concurrently modified in the memcpy statement leads to out of bound access |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/21/2018 |
| Customer Notified Date | 07/01/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8939, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150 |
| Patch* |
CVE-2019-10503
| CVE ID | CVE-2019-10503 |
| Title | Improper Validation of Array Index in Camera |
| Description | Out-of-bounds access can occur in camera driver due to improper validation of array index |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/15/2018 |
| Customer Notified Date | 07/01/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCN7605, SDA660, SDM450, SDM630, SDM636, SDM660, SDX20 |
| Patch* |
CVE-2019-10535
| CVE ID | CVE-2019-10535 |
| Title | Use of Out-of-range Pointer Offset in WLAN HOST |
| Description | Improper validation for loop variable received from firmware can lead to out of bound access in WLAN function while iterating through loop |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 07/01/2019 |
| Affected Chipsets* | APQ8053, APQ8096AU, APQ8098, MDM9640, MSM8996AU, MSM8998, QCA6574AU, QCN7605, QCS405, QCS605, SDA845, SDM845, SDX20 |
| Patch* |
CVE-2019-10563
| CVE ID | CVE-2019-10563 |
| Title | Buffer Over-read Issue in WLAN HOST |
| Description | Buffer over-read can occur in fast message handler due to improper input validation while processing a message from firmware |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 07/01/2019 |
| Affected Chipsets* | APQ8053, APQ8096AU, MSM8996AU, MSM8998, QCN7605, QCS405, QCS605, SDA660, SDM636, SDM660, SDX20, SDX24 |
| Patch* |
CVE-2019-10565
| CVE ID | CVE-2019-10565 |
| Title | Double Free Issue in Camera Driver |
| Description | Double free issue can happen when sensor power settings is freed by some thread while another thread try to access. |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 07/01/2019 |
| Affected Chipsets* | APQ8053, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909, MSM8909W, QCN7605, QCS405, QCS605, SDM845, SDX24, SXR1130 |
| Patch* |
CVE-2019-10566
| CVE ID | CVE-2019-10566 |
| Title | Buffer Copy Without Checking Size of Input in WLAN HOST |
| Description | Buffer overflow can occur in wlan module if supported rates or extended rates element length is greater than max rate set length |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 09/05/2018 |
| Customer Notified Date | 07/01/2019 |
| Affected Chipsets* | APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8996AU, Nicobar, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS405, QCS605, SDA845, SDM670, SDM710, SDM845, SDX20, SM6150, SM8150, SM8250, SXR2130 |
| Patch* |
CVE-2019-2266
| CVE ID | CVE-2019-2266 |
| Title | Use After Free Issue in Camera |
| Description | Possible double free issue in kernel while handling the camera sensor and its sub modules power sequence |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 07/01/2019 |
| Affected Chipsets* | APQ8053, IPQ4019, IPQ8064, MDM9206, MDM9207C, MDM9607, MSM8909, MSM8909W, Nicobar, QCA9980, QCS405, QCS605, SDM845, SDX24, SM7150, SM8150 |
| Patch* |
CVE-2019-2268
| CVE ID | CVE-2019-2268 |
| Title | Buffer Over-read in WLAN |
| Description | Possible OOB read issue in P2P action frames while handling WLAN management frame |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 03/04/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8996AU, MSM8998, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, SDA660, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150 |
| Patch* |
|
CVE-2019-2297
| CVE ID | CVE-2019-2297 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | Buffer overflow can occur while processing non-standard NAN message from user space. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 10/30/2018 |
| Customer Notified Date | 07/01/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS405, QCS605, SDA660, SDA845, SDM636, SDM660, SDM845, SDX20, SDX24, SM8150 |
| Patch* |
CVE-2019-2302
| CVE ID | CVE-2019-2302 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | While processing vendor command which contains corrupted channel count, an integer overflow occurs and finally will lead to heap overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow'), CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 08/15/2018 |
| Customer Notified Date | 04/01/2019 |
| Affected Chipsets* | APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8976, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS405, QCS605, SDA845, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM8150 |
| Patch* |
* Data is generated only at the time of bulletin creation
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.1 | October 7, 2019 | Details for CVE-2019-10617 and CVE-2019-10627 added |
| 1.0 | October 7, 2019 | Bulletin Published |
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.
- Announcements
- Acknowledgements
- Table of Vulnerabilities
- CVE-2018-13916
- CVE-2019-10490
- CVE-2019-10617
- CVE-2019-10627
- CVE-2019-2251
- CVE-2019-2271
- CVE-2019-2289
- CVE-2019-2295
- CVE-2019-2303
- CVE-2019-2315
- CVE-2019-2318
- CVE-2019-2329
- CVE-2019-2335
- CVE-2019-2336
- CVE-2019-2339
- Table of Vulnerabilities
- CVE-2019-10486
- CVE-2019-10503
- CVE-2019-10535
- CVE-2019-10563
- CVE-2019-10565
- CVE-2019-10566
- CVE-2019-2266
- CVE-2019-2268
- CVE-2019-2297
- CVE-2019-2302
- Industry Coordination
- Version History
