October 2021 Security Bulletin

Version 1.0

Published: 10/04/2021

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.

Please reach out to [email protected] for any questions related to this bulletin.

Table of Contents

Announcements
Acknowledgements
Proprietary Software Issues
Open Source Software Issues
Industry Coordination
Version History

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2021-1959, CVE-2021-30288 Peter Park (peterpark)
CVE-2021-1977, CVE-2021-30304 Gengjia Chen ( @chengjia4574 ) from IceSword Lab
CVE-2021-1980 Hao Chen (@flankersky) and Guang Gong (@oldfresher) of 360 Alpha Lab
CVE-2021-30302, CVE-2021-30312 Mathy Vanhoef, New York University Abu Dhabi

 

CVE-2021-30310 Hongjian Cao of ANT Security Frontage Lab
CVE-2021-30315 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2021-1966 Chong Wang (王冲) ([email protected])
CVE-2021-1967 Zhenxiong Wu of OPPO ZIWU Cyber Security Lab
CVE-2021-1968, CVE-2021-1969 Man Yue Mo of GitHub Security Lab

Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table lists high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID Security Rating CVSS Rating Technology Area Date Reported
CVE-2020-11303 High High WLAN Firmware Internal
CVE-2021-1913 High High QWES Internal
CVE-2021-1917 High High Core Services Internal
CVE-2021-1932 High High QTEE Internal
CVE-2021-1936 High High Data Network Stack & Connectivity Internal
CVE-2021-1949 High High Display Internal
CVE-2021-1959 High High Data Modem 01/05/2021
CVE-2021-1983 High High APSS Internal
CVE-2021-1984 High High APSS Internal
CVE-2021-1985 High High APSS Internal
CVE-2021-30256 High High APSS Internal
CVE-2021-30257 High High APSS Internal
CVE-2021-30258 High High APSS Internal
CVE-2021-30288 High High WLAN Firmware 02/13/2021
CVE-2021-30291 High High APSS Internal
CVE-2021-30292 High High APSS Internal
CVE-2021-30297 High High APSS Internal
CVE-2021-30302 High High WLAN Firmware 12/13/2020
CVE-2021-30304 High High WLAN Windows Host 11/26/2020
CVE-2021-30310 High High WLAN Firmware 03/13/2021

CVE-2020-11303

CVE ID CVE-2020-11303
Title Improper Access Control in WLAN
Description Accepting AMSDU frames with mismatched destination and source address can lead to information disclosure
Technology Area WLAN Firmware
Vulnerability Type CWE-284 Improper Access Control
Access Vector Remote
Security Rating High
CVSS Rating High
CVSS Score 8.6
CVSS String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Date Reported Internal
Customer Notified Date 07/05/2021
Affected Chipsets* APQ8009, APQ8053, APQ8064AU, APQ8076, APQ8092, APQ8094, APQ8096AU, AR8031, CSR6030, CSRA6620, CSRA6640, MDM8215, MDM9206, MDM9215, MDM9250, MDM9310, MDM9607, MDM9615, MDM9626, MDM9628, MDM9640, MDM9645, MDM9650, MDM9655, MSM8976, MSM8992, MSM8994, MSM8996AU, QCA0000, QCA1023, QCA1990, QCA4020, QCA6174, QCA6174A, QCA6175A, QCA6234, QCA6310, QCA6320, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA9367, QCA9369, QCA9377, QCA9378A, QCA9379, QCA9886, QCS405, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD210, SD820, SD821, SD845, SDX12, SDX20, SDX20M, SDX24, SDX55, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCN3610, WCN3615, WCN3660B, WCN3680B, WCN3980, WCN3990, WCN3998, WCN3999, WSA8810, WSA8815

CVE-2021-1913

CVE ID CVE-2021-1913
Title Integer Overflow or Wraparound in Trust Zone
Description Possible integer overflow due to improper length check while updating grace period and count record
Technology Area QWES
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 04/05/2021
Affected Chipsets* AQT1000, AR8035, CSRB31024, QCA6174A, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564AU, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8337, QCA9377, QCA9984, QCM2290, QCM4290, QCM6490, QCS2290, QCS405, QCS4290, QCS6490, QCX315, QSM8350, SA415M, SA515M, SA6155P, SA8195P, SD 8C, SD 8CX, SD460, SD480, SD662, SD675, SD778G, SD780G, SD855, SD865 5G, SD870, SD888 5G, SDM830, SDX24, SDX55, SDX55M, SDX57M, SDXR2 5G, SM4125, SM7325, WCD9340, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WHS9410, WSA8810, WSA8815, WSA8830, WSA8835

CVE-2021-1917

CVE ID CVE-2021-1917
Title NULL Pointer Dereference in DIAG
Description Null pointer dereference can occur due to memory allocation failure in DIAG
Technology Area Core Services
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 04/05/2021
Affected Chipsets* APQ8017, APQ8053, AQT1000, MSM8917, MSM8953, QCA6174A, QCA6390, QCA6391, QCA6420, QCA6430, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCA9377, QCM6490, QCS6490, Qualcomm215, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 636, SD 675, SD429, SD439, SD460, SD480, SD632, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDM630, SDX12, SDX50M, SDX55, SDX55M, SM4125, SM6250, SM7250, SM7325, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-1932

CVE ID CVE-2021-1932
Title Improper Access Control in QTEE
Description Improper access control in trusted application environment can cause unauthorized access to CDSP or ADSP VM memory with either privilege
Technology Area QTEE
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 04/05/2021
Affected Chipsets* AQT1000, AR8035, QCA6390, QCA6420, QCA6430, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCA9984, QCM2290, QCM4290, QCS2290, QCS405, QCS410, QCS4290, QCS610, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD 8C, SD 8CX, SD460, SD480, SD662, SD675, SD678, SD720G, SD730, SD7c, SD855, SD888 5G, SDM830, SDX24, SDX50M, SDX55, SDX55M, SM4125, SM6250, SM6250P, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6850, WHS9410, WSA8810, WSA8815

CVE-2021-1936

CVE ID CVE-2021-1936
Title NULL Pointer Dereference in Modem
Description Null pointer dereference can occur due to lack of null check for user provided input
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Remote
Security Rating High
CVSS Rating High
CVSS Score 7.5
CVSS String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported Internal
Customer Notified Date 04/05/2021
Affected Chipsets* APQ8009W, APQ8017, APQ8053, APQ8064AU, APQ8096AU, AQT1000, MSM8909W, MSM8917, MSM8937, MSM8953, MSM8996AU, PM8937, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCM2290, QCM4290, QCM6125, QCM6490, QCS2290, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, Qualcomm215, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 455, SD 636, SD 675, SD205, SD210, SD429, SD439, SD450, SD460, SD480, SD632, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD845, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDM429W, SDM630, SDW2500, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-1949

CVE ID CVE-2021-1949
Title Integer Overflow or Wraparound in Display
Description Possible integer overflow due to improper check of batch count value while sanitizer is enabled
Technology Area Display
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 04/05/2021
Affected Chipsets* APQ8009, APQ8009W, APQ8017, APQ8053, APQ8064AU, APQ8096AU, AQT1000, AR8031, CSRA6620, CSRA6640, FSM10055, FSM10056, MDM9206, MDM9250, MDM9607, MDM9626, MDM9628, MDM9650, MSM8909W, MSM8917, MSM8953, MSM8996AU, QCA4020, QCA6174A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCA9367, QCA9377, QCA9379, QCM4290, QCM6125, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QRB5165, QSM8250, QSW8573, Qualcomm215, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 636, SD 675, SD429, SD439, SD450, SD460, SD632, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD820, SD845, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM429W, SDM630, SDM830, SDW2500, SDX20, SDX20M, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9330, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-1959

CVE ID CVE-2021-1959
Title Untrusted Pointer Dereference in Data Modem
Description Possible memory corruption due to lack of bound check of input index
Technology Area Data Modem
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 7.8
CVSS String CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Date Reported 01/05/2021
Customer Notified Date 04/05/2021
Affected Chipsets* APQ8009, APQ8009W, APQ8017, APQ8037, APQ8053, APQ8096AU, AQT1000, AR8035, CSR6030, CSRB31024, FSM10055, FSM10056, MDM8207, MDM9150, MDM9206, MDM9207, MDM9230, MDM9250, MDM9330, MDM9607, MDM9628, MDM9630, MDM9640, MDM9650, MSM8108, MSM8208, MSM8209, MSM8608, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8976, MSM8976SG, MSM8996AU, QCA1990, QCA6174, QCA6174A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584, QCA6584AU, QCA6595, QCA6595AU, QCA6694, QCA6694AU, QCA6696, QCA8337, QCA9367, QCA9377, QCA9379, QCM2290, QCM4290, QCM6125, QCM6490, QCS2290, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, QCX315, QET4101, QSM8350, QSW8573, Qualcomm215, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SC8180X+SDX55, SD 455, SD 636, SD 675, SD 8C, SD 8CX, SD205, SD210, SD429, SD439, SD450, SD460, SD480, SD632, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD710, SD712, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD7c, SD820, SD821, SD835, SD845, SD850, SD855, SD865 5G, SD870, SD888 5G, SDA429W, SDM429W, SDM630, SDW2500, SDX12, SDX20, SDX24, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9306, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WHS9410, WSA8810, WSA8815, WSA8830, WSA8835

CVE-2021-1983

CVE ID CVE-2021-1983
Title Integer Overflow to Buffer Overflow in VR Service
Description Possible buffer overflow due to improper handling of negative data length while processing write request in VR service
Technology Area APSS
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 06/07/2021
Affected Chipsets* APQ8017, APQ8053, APQ8064AU, APQ8096AU, AQT1000, MSM8917, MSM8953, MSM8996AU, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCM2290, QCM4290, QCM6125, QCM6490, QCS2290, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, Qualcomm215, SD 455, SD 636, SD 675, SD205, SD210, SD429, SD439, SD460, SD480, SD632, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-1984

CVE ID CVE-2021-1984
Title Integer Overflow or Wraparound in VR Service
Description Possible buffer overflow due to improper validation of index value while processing the plugin block
Technology Area APSS
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 06/07/2021
Affected Chipsets* APQ8017, APQ8053, APQ8064AU, APQ8096AU, AQT1000, MSM8917, MSM8953, MSM8996AU, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCM2290, QCM4290, QCM6125, QCM6490, QCS2290, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, Qualcomm215, SD 455, SD 636, SD 675, SD205, SD210, SD429, SD439, SD460, SD480, SD632, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-1985

CVE ID CVE-2021-1985
Title Buffer Over-read in VR Service
Description Possible buffer over read due to lack of data length check in QVR Service configuration
Technology Area APSS
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 06/07/2021
Affected Chipsets* APQ8017, APQ8053, APQ8064AU, APQ8096AU, AQT1000, MSM8917, MSM8953, MSM8996AU, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCM2290, QCM4290, QCM6125, QCM6490, QCS2290, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, Qualcomm215, SD 455, SD 636, SD 675, SD205, SD210, SD429, SD439, SD460, SD480, SD632, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-30256

CVE ID CVE-2021-30256
Title Buffer Copy Without Checking Size of Input in VR Service
Description Possible stack overflow due to improper validation of camera name length before copying the name in VR Service
Technology Area APSS
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 06/07/2021
Affected Chipsets* APQ8017, APQ8053, AQT1000, MSM8917, MSM8953, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCM2290, QCM4290, QCM6125, QCM6490, QCS2290, QCS4290, QCS605, QCS6125, QCS6490, Qualcomm215, SD 636, SD 675, SD429, SD439, SD460, SD480, SD632, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM7250, SM7325, WCD9370, WCD9375, WCD9380, WCD9385, WCN3615, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-30257

CVE ID CVE-2021-30257
Title Improper Validation of Array Index in VR Service
Description Possible out of bound read or write in VR service due to lack of validation of DSP selection values
Technology Area APSS
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 06/07/2021
Affected Chipsets* APQ8017, APQ8053, AQT1000, MSM8917, MSM8953, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCM2290, QCM4290, QCM6125, QCM6490, QCS2290, QCS4290, QCS605, QCS6125, QCS6490, Qualcomm215, SD 636, SD 675, SD429, SD439, SD460, SD480, SD632, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM7250, SM7325, WCD9370, WCD9375, WCD9380, WCD9385, WCN3615, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-30258

CVE ID CVE-2021-30258
Title Stack-based Buffer Overflow in VR Service
Description Possible buffer overflow due to improper size calculation of payload received in VR service
Technology Area APSS
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 06/07/2021
Affected Chipsets* APQ8017, APQ8053, APQ8064AU, APQ8096AU, AQT1000, MSM8917, MSM8953, MSM8996AU, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCM2290, QCM4290, QCM6125, QCM6490, QCS2290, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, Qualcomm215, SD 455, SD 636, SD 675, SD205, SD210, SD429, SD439, SD460, SD480, SD632, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM429W, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-30288

CVE ID CVE-2021-30288
Title Stack-based Buffer Overflow in WLAN
Description Possible stack overflow due to improper length check of TLV while copying the TLV to a local stack variable
Technology Area WLAN Firmware
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported 02/13/2021
Customer Notified Date 07/05/2021
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, AQT1000, AR8031, AR8035, CSR8811, CSRA6620, CSRA6640, CSRB31024, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6005, IPQ6010, IPQ6018, IPQ6028, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, MSM8996AU, PMP8074, QCA1023, QCA1062, QCA1064, QCA10901, QCA2062, QCA2064, QCA2065, QCA2066, QCA4010, QCA4020, QCA4024, QCA6174A, QCA6310, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6428, QCA6430, QCA6431, QCA6436, QCA6438, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595AU, QCA6694, QCA6696, QCA8072, QCA8075, QCA8081, QCA9369, QCA9377, QCA9379, QCA9888, QCA9889, QCA9984, QCM2290, QCM4290, QCM6125, QCM6490, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5121, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5550, QCN6023, QCN6024, QCN6122, QCN7605, QCN7606, QCN9000, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS2290, QCS405, QCS410, QCS4290, QCS605, QCS610, QCS6125, QCS6490, QRB5165, QSM8350, SA8155, SA8155P, SC8180X+SDX55, SC8280XP, SD 675, SD 8C, SD 8CX, SD210, SD460, SD480, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD710, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD820, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM830, SDX20, SDX20M, SDX24, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9326, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WHS9410, WSA8810, WSA8815, WSA8830, WSA8835

CVE-2021-30291

CVE ID CVE-2021-30291
Title Incorrect Calculation of Buffer Size in VR Service
Description Possible memory corruption due to lack of validation of client data used for memory allocation
Technology Area APSS
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 06/07/2021
Affected Chipsets* APQ8017, APQ8053, APQ8064AU, APQ8096AU, AQT1000, MSM8917, MSM8953, MSM8996AU, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCM2290, QCM4290, QCM6125, QCS2290, QCS4290, QCS603, QCS605, QCS6125, Qualcomm215, SD 455, SD 636, SD 675, SD205, SD210, SD429, SD439, SD460, SD632, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-30292

CVE ID CVE-2021-30292
Title Incorrect Calculation of Buffer Size in VR Service
Description Possible memory corruption due to lack of validation of client data used for memory allocation
Technology Area APSS
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 06/07/2021
Affected Chipsets* APQ8017, APQ8053, APQ8064AU, APQ8096AU, AQT1000, MSM8917, MSM8953, MSM8996AU, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCM2290, QCM4290, QCM6125, QCS2290, QCS4290, QCS603, QCS605, QCS610, QCS6125, Qualcomm215, SD 455, SD 636, SD 675, SD205, SD210, SD429, SD439, SD460, SD632, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-30297

CVE ID CVE-2021-30297
Title Buffer Copy Without Checking Size of Input in VR Service
Description Possible out of bound read due to improper validation of packet length while handling data transfer in VR service
Technology Area APSS
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 06/07/2021
Affected Chipsets* APQ8017, APQ8053, APQ8096AU, AQT1000, MSM8917, MSM8953, MSM8996AU, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCM2290, QCM4290, QCM6125, QCS2290, QCS4290, QCS603, QCS605, QCS610, QCS6125, Qualcomm215, SD 636, SD 675, SD205, SD210, SD429, SD439, SD460, SD632, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3660B, WCN3680, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-30302

CVE ID CVE-2021-30302
Title Improper Authentication in WLAN
Description Improper authentication of EAP WAPI EAPOL frames from unauthenticated user can lead to information disclosure
Technology Area WLAN Firmware
Vulnerability Type CWE-287 Improper Authentication
Access Vector Remote
Security Rating High
CVSS Rating High
CVSS Score 7.5
CVSS String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Date Reported 12/13/2020
Customer Notified Date 07/05/2021
Affected Chipsets* AQT1000, AR8035, AR9380, CSR8811, IPQ4018, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6005, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8069, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, PMP8074, QCA1062, QCA1064, QCA10901, QCA2062, QCA2064, QCA2065, QCA2066, QCA4024, QCA6310, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6428, QCA6430, QCA6431, QCA6436, QCA6438, QCA8072, QCA8075, QCA8081, QCA8337, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9990, QCA9992, QCA9994, QCM6490, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5121, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5550, QCN6023, QCN6024, QCN6122, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS6490, QCX315, QRB5165, QSM8350, SC8180X+SDX55, SC8280XP, SD 8C, SD 8CX, SD778G, SD780G, SD865 5G, SD870, SD888, SD888 5G, SDX55, SDX55M, SDXR2 5G, SM7325, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

CVE-2021-30304

CVE ID CVE-2021-30304
Title Buffer Over-read in WLAN
Description Possible buffer out of bound read can occur due to improper validation of TBTT count and length while parsing the beacon response
Technology Area WLAN Windows Host
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
CVSS Rating High
CVSS Score 7.5
CVSS String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported 11/26/2020
Customer Notified Date 07/05/2021
Affected Chipsets* QCA2062, QCA2064, QCA2065, QCA2066, SC8280XP, WCD9380, WCD9385, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-30310

CVE ID CVE-2021-30310
Title Improper Input Validation in WLAN
Description Possible buffer overflow due to Improper validation of received CF-ACK and CF-Poll data frames
Technology Area WLAN Firmware
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Remote
Security Rating High
CVSS Rating High
CVSS Score 7.5
CVSS String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported 03/13/2021
Customer Notified Date 07/05/2021
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, CSRB31024, MDM9206, MDM9250, MDM9607, MDM9626, MDM9628, MDM9640, MDM9650, MDM9655, MSM8996AU, QCA4020, QCA4531, QCA6174A, QCA6175A, QCA6310, QCA6320, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA9367, QCA9369, QCA9377, QCA9379, QCA9886, QCM2290, QCS2290, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD210, SD480, SD690 5G, SD750G, SD765, SD765G, SD768G, SD820, SD821, SD845, SDX20, SDX20M, SDX24, SDX55, SM7250, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3988, WCN3990, WCN3991, WCN3998, WSA8810, WSA8815, WSA8830, WSA8835

*The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at www.qualcomm.com/support.

Open Source Software Issues

The tables below summarize security vulnerabilities that were addressed through open source software

This table lists high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID Security Rating CVSS Rating Technology Area Date Reported
CVE-2021-1977 High High WLAN HOST 12/17/2020
CVE-2021-1980 High High WLAN Host Communication 01/07/2021
CVE-2021-30305 High High Graphics Internal
CVE-2021-30306 High High DSP Service Internal
CVE-2021-30312 High High WIGIG 09/21/2020
CVE-2021-30315 High High Automotive Telematics 10/12/2020
CVE-2021-30316 High High Multimedia Internal

This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.  

Public ID Security Rating CVSS Rating Technology Area Date Reported
CVE-2021-1966 Medium Medium Display 11/04/2020
CVE-2021-1967 Medium Medium WLAN HOST 12/02/2020
CVE-2021-1968 Medium Medium NPU 12/03/2020
CVE-2021-1969 Medium Medium NPU 12/03/2020

CVE-2021-1977

CVE ID CVE-2021-1977
Title Buffer Over-read in WLAN
Description Possible buffer over read due to improper validation of frame length while processing AEAD decryption during ASSOC response
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
CVSS Rating High
CVSS Score 7.5
CVSS String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported 12/17/2020
Customer Notified Date 07/05/2021
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064AU, APQ8096AU, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, MDM9150, MDM9206, MDM9250, MDM9607, MDM9626, MDM9628, MDM9650, MSM8953, MSM8996AU, QCA4020, QCA6174A, QCA6175A, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6426, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8337, QCA9367, QCA9377, QCA9379, QCM4290, QCM6125, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QRB5165, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD460, SD660, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD820, SD835, SD845, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX12, SDX20, SDX20M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM7250, SM7325, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**

CVE-2021-1980

CVE ID CVE-2021-1980
Title Buffer Over-read in WLAN
Description Possible buffer over read due to lack of length check while parsing beacon IE response
Technology Area WLAN Host Communication
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
CVSS Rating High
CVSS Score 7.5
CVSS String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Date Reported 01/07/2021
Customer Notified Date 06/07/2021
Affected Chipsets* APQ8053, APQ8064AU, APQ8096AU, AQT1000, AR8031, AR8035, AR9380, CSR8811, CSRA6620, CSRA6640, CSRB31024, FSM10055, FSM10056, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6005, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8069, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, MDM9650, MSM8953, MSM8996AU, PMP8074, QCA1062, QCA1064, QCA2062, QCA2064, QCA2065, QCA2066, QCA4024, QCA6310, QCA6320, QCA6335, QCA6390, QCA6391, QCA6420, QCA6426, QCA6428, QCA6430, QCA6436, QCA6438, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6694, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA8337, QCA9531, QCA9558, QCA9561, QCA9563, QCA9880, QCA9882, QCA9886, QCA9887, QCA9888, QCA9889, QCA9896, QCA9898, QCA9980, QCA9982, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCM2290, QCM4290, QCM6125, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5121, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5500, QCN5502, QCN5550, QCN6023, QCN6024, QCN6122, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS2290, QCS405, QCS410, QCS4290, QCS610, QCS6125, QCX315, QRB5165, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SC8280XP, SD 636, SD 675, SD 8CX, SD460, SD480, SD660, SD662, SD665, SD670, SD675, SD678, SD690 5G, SD710, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD7c, SD835, SD845, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDM630, SDX50M, SDX55, SDX55M, SDXR1, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9326, WCD9335, WCD9340, WCD9341, WCD9370, WCD9371, WCD9375, WCD9380, WCD9385, WCN3615, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**

CVE-2021-30305

CVE ID CVE-2021-30305
Title Improper Input Validation in Linux Graphics
Description Possible out of bound access due to lack of validation of page offset before page is inserted
Technology Area Graphics
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 07/05/2021
Affected Chipsets* QCA6174A, QCA6391, QCA6574, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA9377, QCM6490, QCS6490, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD480, SD778G, SD780G, SD888 5G, SDX12, SM7325, WCD9335, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3988, WCN3991, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8830, WSA8835
Patch**

CVE-2021-30306

CVE ID CVE-2021-30306
Title Buffer Over-read in DSP Services
Description Possible buffer over read due to improper buffer allocation for file length passed from user space
Technology Area DSP Service
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 07/05/2021
Affected Chipsets* APQ8053, MSM8953, QCA6174A, QCA6390, QCA6391, QCA6426, QCA6574, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA9377, QCM6490, QCS6490, QRB5165, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD460, SD480, SD662, SD690 5G, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD865 5G, SD870, SD888, SD888 5G, SDX12, SDX55M, SM7250, SM7325, WCD9326, WCD9335, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3615, WCN3680B, WCN3950, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**

CVE-2021-30312

CVE ID CVE-2021-30312
Title Improper Authentication in WIGIG Host
Description Improper authentication of sub-frames of a multicast AMSDU frame can lead to information disclosure
Technology Area WIGIG
Vulnerability Type CWE-287 Improper Authentication
Access Vector Remote
Security Rating High
CVSS Rating High
CVSS Score 7.5
CVSS String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Date Reported 09/21/2020
Customer Notified Date 07/05/2021
Affected Chipsets* APQ8053, AQT1000, AR8031, AR8035, AR9380, CSR8811, CSRA6620, CSRA6640, FSM10055, FSM10056, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, MDM9150, MSM8953, PMP8074, QCA4024, QCA6174A, QCA6310, QCA6320, QCA6330, QCA6335, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6428, QCA6430, QCA6431, QCA6436, QCA6438, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA8337, QCA9377, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCM2290, QCM4290, QCM6125, QCM6490, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5550, QCN6023, QCN6024, QCN6122, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS2290, QCS405, QCS410, QCS4290, QCS610, QCS6125, QCS6490, QCX315, QRB5165, QSM8250, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD460, SD660, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDX12, SDX50M, SDX55, SDX55M, SDXR2 5G, SM4125, SM6250, SM6250P, SM7250, SM7325, WCD9326, WCD9335, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**

CVE-2021-30315

CVE ID CVE-2021-30315
Title Use After Free in Sensor Hardware Abstraction Layer
Description Improper handling of sensor HAL structure in absence of sensor can lead to use after free
Technology Area Automotive Telematics
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported 10/12/2020
Customer Notified Date 07/05/2021
Affected Chipsets* MDM9628, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P
Patch**

CVE-2021-30316

CVE ID CVE-2021-30316
Title Use of Out-of-range Pointer Offset in Multimedia Drivers
Description Possible out of bound memory access due to improper boundary check while creating HSYNC fence
Technology Area Multimedia
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating High
CVSS Rating High
CVSS Score 8.4
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported Internal
Customer Notified Date 07/05/2021
Affected Chipsets* AR8031, CSRA6620, CSRA6640, FSM10055, FSM10056, MDM9150, QCA6174A, QCA6391, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA9377, QCM6490, QCS405, QCS410, QCS610, QCS6490, QCX315, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD480, SD660, SD675, SD678, SD720G, SD778G, SD780G, SD888, SD888 5G, SDA429W, SDX12, SDX55, SM6250, SM7325, WCD9335, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3620, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**

CVE-2021-1966

CVE ID CVE-2021-1966
Title Buffer Copy Without Checking Size of Input in Display
Description Possible buffer overflow due to lack of length check of source and destination buffer before copying
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating Medium
CVSS Rating Medium
CVSS Score 6.7
CVSS String CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Date Reported 11/04/2020
Customer Notified Date 04/05/2021
Affected Chipsets* AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, FSM10055, FSM10056, QCA6390, QCA6391, QCA6420, QCA6430, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCA8337, QCM6125, QCS405, QCS410, QCS610, QCS6125, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 8C, SD 8CX, SD665, SD690 5G, SD750G, SD765, SD765G, SD768G, SD855, SD865 5G, SD870, SDX55, SDX55M, SM7250, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3950, WCN3980, WCN3988, WCN3991, WCN3998, WCN3999, WCN6850, WCN6851, WSA8810, WSA8815, WSA8830, WSA8835
Patch**

CVE-2021-1967

CVE ID CVE-2021-1967
Title Stack-based Buffer Overflow in WLAN
Description Possible stack buffer overflow due to lack of check on the maximum number of post NAN discovery attributes while processing a NAN Match event
Technology Area WLAN HOST
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Local
Security Rating Medium
CVSS Rating Medium
CVSS Score 5.3
CVSS String CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Date Reported 12/02/2020
Customer Notified Date 04/05/2021
Affected Chipsets* APQ8009, APQ8053, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, MDM9206, MDM9628, QCA6174A, QCA6390, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCA8337, QCA9367, QCA9377, QCM4290, QCM6125, QCS405, QCS410, QCS4290, QCS605, QCS610, QCS6125, QRB5165, Qualcomm215, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD 8C, SD 8CX, SD205, SD210, SD460, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD820, SD855, SD865 5G, SD870, SD888 5G, SDA429W, SDX55, SDX55M, SDXR2 5G, SM6250, SM7250, SM7325, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680, WCN3680B, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835
Patch**

CVE-2021-1968

CVE ID CVE-2021-1968
Title Information Exposure in Neural Processing
Description Improper validation of kernel buffer address while copying information back to user buffer can lead to kernel memory information exposure to user space
Technology Area NPU
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
CVSS Rating Medium
CVSS Score 6.2
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Date Reported 12/03/2020
Customer Notified Date 04/05/2021
Affected Chipsets* AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, FSM10055, FSM10056, MDM9150, QCA6391, QCA6420, QCA6430, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8337, QCM6125, QCS405, QCS410, QCS610, QCS6125, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD 8C, SD 8CX, SD665, SD675, SD678, SD720G, SD855, SDA429W, SDX55, SDX55M, SM6250, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCN3610, WCN3620, WCN3660B, WCN3950, WCN3980, WCN3988, WCN3991, WCN3998, WCN3999, WSA8810, WSA8815
Patch**

CVE-2021-1969

CVE ID CVE-2021-1969
Title Information Exposure in Neural Processing
Description Improper validation of kernel buffer address while copying information back to user buffer can lead to kernel memory information exposure to user space
Technology Area NPU
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
CVSS Rating Medium
CVSS Score 6.2
CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Date Reported 12/03/2020
Customer Notified Date 04/05/2021
Affected Chipsets* AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, FSM10055, FSM10056, MDM9150, QCA6391, QCA6420, QCA6430, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8337, QCM6125, QCS405, QCS410, QCS610, QCS6125, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD 8C, SD 8CX, SD665, SD675, SD678, SD720G, SD855, SDA429W, SDX55, SDX55M, SM6250, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCN3610, WCN3620, WCN3660B, WCN3950, WCN3980, WCN3988, WCN3991, WCN3998, WCN3999, WSA8810, WSA8815
Patch**

* The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at www.qualcomm.com/support.

** Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 October 4, 2021 Bulletin Published

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

Qualcomm Technologies, Inc
5775 Morehouse Drive
San Diego, CA 92121
U.S.A.
© 2019 Qualcomm Technologies, Inc. and/or its subsidiaries. All rights reserved.

©2021 Qualcomm Technologies, Inc. and/or its affiliated companies.

References to "Qualcomm" may mean Qualcomm Incorporated, or subsidiaries or business units within the Qualcomm corporate structure, as applicable.

Qualcomm Incorporated includes Qualcomm's licensing business, QTL, and the vast majority of its patent portfolio. Qualcomm Technologies, Inc., a wholly-owned subsidiary of Qualcomm Incorporated, operates, along with its subsidiaries, substantially all of Qualcomm's engineering, research and development functions, and substantially all of its products and services businesses. Qualcomm products referenced on this page are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Materials that are as of a specific date, including but not limited to press releases, presentations, blog posts and webcasts, may have been superseded by subsequent events or disclosures.

Nothing in these materials is an offer to sell any of the components or devices referenced herein.