Version 1.2
This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2018-3571, CVE-2018-3572 | Peter Pi of Tencent Security Platform Department |
| CVE-2018-5833 | This issue was found by Google when evaluating a previous fix. |
| CVE-2017-0781, CVE-2017-11037, CVE-2017-11039, CVE-2017-11070, CVE-2017-11077, CVE-2017-11083, CVE-2017-11084, CVE-2017-11086, CVE-2017-14904, CVE-2017-15857, CVE-2017-17767, CVE-2017-17768, CVE-2017-18154, CVE-2018-3585 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information. |
| CVE-2018-3562, CVE-2018-3579, CVE-2018-3580, CVE-2018-3581, CVE-2018-3582 | This issue was reported to Qualcomm by a security researcher who asked to remain anonymous. |
| CVE-2017-14883, CVE-2017-14884, CVE-2017-14888, CVE-2017-15832, CVE-2017-15854, CVE-2017-18070, CVE-2018-3565 | Gengjia Chen ( @chengjia4574 ), pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
| CVE-2018-3576, CVE-2018-3578 | Hao Chen(@flankersky) and Guang Gong(@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd. |
| CVE-2017-11036, CVE-2017-15842, CVE-2017-15843 | Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
| CVE-2017-11072, CVE-2017-14871 | derrek (https://twitter.com/derrekr6) |
| CVE-2017-11065, CVE-2017-14880 | Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
| CVE-2017-17769 | Pengfei Ding |
| CVE-2015-0235 | Qualys |
| CVE-2017-0464 | Found internally, then reported by an external researcher to Google, who reported it to us. |
| CVE-2017-11068, CVE-2017-11094, CVE-2017-11095, CVE-2017-15835, CVE-2017-17772 | Scott Bauer |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2018-3572 | Medium | Audio | 11/2/2017 |
| CVE-2018-5833 | Medium | Multimedia | 8/30/2017 |
| CVE-2018-5900 | High | Boot | Internal |
| CVE-2018-5901 | High | Boot | Internal |
| CVE-2018-3585 | Medium | Camera | 8/30/2017 |
| CVE-2018-5846 | High | Data Network Stack & Connectivity | Internal |
| CVE-2018-5902 | High | Data Network Stack & Connectivity | Internal |
| CVE-2018-5840 | High | Display | Internal |
| CVE-2018-5845 | High | Display | Internal |
| CVE-2018-5847 | High | Display | Internal |
| CVE-2018-5849 | Medium | Trusted Execution Environment | 8/22/2017 |
| CVE-2018-3571 | Medium | Graphics | 8/31/2017 |
| CVE-2018-5841 | High | Kernel | Internal |
| CVE-2018-5844 | High | Video | Internal |
| CVE-2018-5848 | High | WIGIG | Internal |
| CVE-2018-3562 | Critical | WLAN HOST | 11/8/2017 |
| CVE-2018-3565 | Critical | WLAN HOST | 10/24/2017 |
| CVE-2018-3576 | Medium | WLAN HOST | 9/20/2017 |
| CVE-2018-3578 | Medium | WLAN HOST | 11/16/2017 |
| CVE-2018-3579 | Medium | WLAN HOST | 11/13/2017 |
| CVE-2018-3580 | High | WLAN HOST | 11/8/2017 |
| CVE-2018-3581 | Medium | WLAN HOST | 11/13/2017 |
| CVE-2018-3582 | High | WLAN HOST | 11/13/2017 |
| CVE-2018-5842 | High | WLAN HOST | 9/20/2017 |
| CVE-2018-5843 | High | WLAN HOST | Internal |
| CVE-2018-5850 | High | WLAN HOST | Internal |
| CVE-2018-5851 | High | WLAN HOST | Internal |
| CVE-2017-0399 | High | Audio | Internal |
| CVE-2017-0400 | High | Audio | Internal |
| CVE-2017-0401 | High | Audio | Internal |
| CVE-2017-0402 | High | Audio | Internal |
| CVE-2017-15842 | Medium | Audio | 10/9/2017 |
| CVE-2017-18165 | High | Audio | Internal |
| CVE-2017-11086 | Medium | Multimedia | 4/4/2017 |
| CVE-2017-11072 | Medium | Boot | 6/27/2017 |
| CVE-2017-14871 | Medium | Boot | 6/22/2017 |
| CVE-2017-17768 | High | Boot | 10/13/2017 |
| CVE-2017-18162 | High | Boot | Internal |
| CVE-2017-11039 | Medium | Camera | 12/9/2016 |
| CVE-2017-11077 | Medium | Camera | 4/10/2017 |
| CVE-2017-15857 | Medium | Camera | 8/30/2017 |
| CVE-2015-8215 | Medium | Data Network Stack & Connectivity | Internal |
| CVE-2017-14880 | Medium | Data Network Stack & Connectivity | 7/14/2017 |
| CVE-2017-14904 | Medium | Display | 8/15/2017 |
| CVE-2017-15827 | Medium | Display | 6/1/2017 |
| CVE-2017-17769 | High | Display | 8/1/2017 |
| CVE-2017-18154 | Medium | Display | 8/15/2017 |
| CVE-2017-18161 | High | Display | Internal |
| CVE-2017-18164 | High | Display | Internal |
| CVE-2017-18166 | High | Display | Internal |
| CVE-2017-18167 | Medium | Display | Internal |
| CVE-2015-0235 | Critical | OE | Internal |
| CVE-2017-11037 | Medium | Power | 1/6/2017 |
| CVE-2015-3847 | High | Security | Internal |
| CVE-2017-11065 | Medium | SoC Infrastructure | 5/2/2017 |
| CVE-2017-15843 | Medium | SoC Infrastructure | 3/15/2017 |
| CVE-2017-18163 | High | Trusted Execution Environment | Internal |
| CVE-2014-9940 | High | Stability | Internal |
| CVE-2016-2454 | High | Video | Internal |
| CVE-2017-11070 | High | Video | 6/9/2017 |
| CVE-2017-17767 | High | Video | 9/19/2017 |
| CVE-2017-11036 | Medium | WIGIG | 5/2/2017 |
| CVE-2017-0464 | Medium | WLAN HOST | 8/25/2016 |
| CVE-2017-11068 | Critical | WLAN HOST | 5/9/2017 |
| CVE-2017-11083 | Medium | WLAN HOST | 6/2/2017 |
| CVE-2017-11084 | Medium | WLAN HOST | 4/14/2017 |
| CVE-2017-11094 | Critical | WLAN HOST | 5/14/2017 |
| CVE-2017-11095 | Critical | WLAN HOST | 5/2/2017 |
| CVE-2017-14883 | High | WLAN HOST | 9/13/2017 |
| CVE-2017-14884 | High | WLAN HOST | 9/14/2017 |
| CVE-2017-14888 | Medium | WLAN HOST | 9/21/2017 |
| CVE-2017-15819 | High | WLAN HOST | Internal |
| CVE-2017-15832 | High | WLAN HOST | 9/15/2017 |
| CVE-2017-15835 | Medium | WLAN HOST | 8/23/2017 |
| CVE-2017-15854 | High | WLAN HOST | 9/15/2017 |
| CVE-2017-17772 | High | WLAN HOST | 11/17/2017 |
| CVE-2017-18070 | High | WLAN HOST | 9/14/2017 |
| CVE-2017-18168 | High | WLAN HOST | Internal |
| CVE-2016-6716 | Medium | Android UI | Internal |
| CVE-2017-0781 | Critical | Bluetooth HOST | Internal |
| CVE-2017-11020 | High | Bluetooth HOST | Internal |
CVE-2018-3572
| CVE ID | CVE-2018-3572 |
| Title | Improper Restriction of Operations within the Bounds of a Memory Buffer in Audio |
| Description | While processing a DSP buffer in an audio driver’s event handler, an index of a buffer is not checked before accessing the buffer. |
| Technology Area | Audio |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/2/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-5833
| CVE ID | CVE-2018-5833 |
| Title | Improper Validation of Array Index in Camera |
| Description | In the camera driver, an out-of-bounds access can occur. |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 8/30/2017 |
| Customer Notified Date | 3/5/2018 |
| Patch |
CVE-2018-5900
| CVE ID | CVE-2018-5900 |
| Title | Incorrect Type Conversion or Cast in Boot |
| Description | Data loss can potentially occur when using a GetTimerCountms() function |
| Technology Area | Boot |
| Vulnerability Type | CWE-704 Incorrect Type Conversion or Cast |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5901
| CVE ID | CVE-2018-5901 |
| Title | Incorrect Type Conversion or Cast in Boot |
| Description | While device is failed to locate the VB protocol, the return value is not correct because of the type of IsSecureBootEnable is BOOLEAN, but the type of Status is UINTN |
| Technology Area | Boot |
| Vulnerability Type | CWE-704 Incorrect Type Conversion or Cast |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-3585
| CVE ID | CVE-2018-3585 |
| Title | Improper Validation of Array Index in Camera |
| Description | In the camera driver, an null pointer access can occur due to an error in copying region params from userspace. |
| Technology Area | Camera |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 8/30/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-5846
| CVE ID | CVE-2018-5846 |
| Title | Use After Free in IPA |
| Description | A Use After Free condition can occur in the IPA driver whenever the IPA IOCTLs IPA_IOC_NOTIFY_WAN_UPSTREAM_ROUTE_ADD/IPA_IOC_NOTIFY_WAN_UPSTREAM_ROUTE_DEL/IPA_IOC_NOTIFY_WAN_EMBMS_CONNECTED are called |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5902
| CVE ID | CVE-2018-5902 |
| Title | Improper Access Control in Data |
| Description | While processing a userspace command to enable a GSI debug register read, an unauthorized access to protected registers can occur. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-5840
| CVE ID | CVE-2018-5840 |
| Title | Buffer Copy without Checking Size of Input in Display |
| Description | Buffer Copy without Checking Size of Input can occur during the DRM SDE driver initialization sequence. |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5845
| CVE ID | CVE-2018-5845 |
| Title | Use After Free in Display Driver |
| Description | A race condition in drm_atomic_nonblocking_commit() in the display driver can potentially lead to a Use After Free scenario. |
| Technology Area | Display |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5847
| CVE ID | CVE-2018-5847 |
| Title | Use After Free in Display |
| Description | Early or late retirement of rotation requests can result in a Use After Free condition. |
| Technology Area | Display |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5849
| CVE ID | CVE-2018-5849 |
| Title | Use After Free in QTEE |
| Description | Due to a race condition in the QTEECOM driver, when more than one HLOS client loads the same TA, a Use After Free condition can occur. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 8/22/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3571
| CVE ID | CVE-2018-3571 |
| Title | Use After Free in Graphics |
| Description | In the KGSL driver, a Use After Free condition can occur when printing information about sparse memory allocations |
| Technology Area | Graphics |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 8/31/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-5841
| CVE ID | CVE-2018-5841 |
| Title | Improper Input Validation in Kernel |
| Description | dcc_curr_list is initialized with a default invalid value that is expected to be programmed by the user through a sysfs node which could lead to an invalid access |
| Technology Area | Kernel |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-5844
| CVE ID | CVE-2018-5844 |
| Title | Use After Free in Video |
| Description | In the video driver function set_output_buffers(), binfo can be accessed after being freed in a failure scenario. |
| Technology Area | Video |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5848
| CVE ID | CVE-2018-5848 |
| Title | Buffer Copy without Checking Size of Input in WIGIG |
| Description | In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the ‘ie_len’ argument can cause a buffer overflow |
| Technology Area | WIGIG |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3562
| CVE ID | CVE-2018-3562 |
| Title | Buffer Over-read in WLAN |
| Description | Buffer over -read can occur while processing a FILS authentication frame |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | 11/8/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3565
| CVE ID | CVE-2018-3565 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | While sending a probe request indication in lim_send_sme_probe_req_ind(), a buffer overflow can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | 10/24/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
|
CVE-2018-3576
| CVE ID | CVE-2018-3576 |
| Title | Improper Validation of Array Index in WLAN |
| Description | improper validation of array index in WiFi driver function sapInterferenceRssiCount() leads to array out-of-bounds access. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/20/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3578
| CVE ID | CVE-2018-3578 |
| Title | Incorrect Calculation of Buffer Size in WLAN |
| Description | Type mismatch for ie_len can cause the WLAN driver to allocate less memory on the heap due to implicit casting leading to a heap buffer overflow |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-131 Incorrect Calculation of Buffer Size |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/16/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3579
| CVE ID | CVE-2018-3579 |
| Title | Buffer Over-read in WLAN |
| Description | In the WLAN driver, event->num_entries_in_page is a value received from firmware that is not properly validated which can lead to a buffer over-read |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/13/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3580
| CVE ID | CVE-2018-3580 |
| Title | Stack-based Buffer Overflow in WLAN |
| Description | Stack-based buffer overflow can occur In the WLAN driver if the pmkid_count value is larger than the PMKIDCache size. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | 11/8/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3581
| CVE ID | CVE-2018-3581 |
| Title | Improper Restriction of Operations within the Bounds of a Memory Buffer in WLAN |
| Description | In the WLAN driver, a buffer overwrite can occur if the vdev_id received from firmware is larger than max_bssid. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/13/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-3582
| CVE ID | CVE-2018-3582 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | Buffer overflow can occur due to improper input validation in multiple WMA event handler functions |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/13/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-5842
| CVE ID | CVE-2018-5842 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | An arbitrary address write can occur if a compromised WLAN firmware sends incorrect data to WLAN driver |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/20/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-5843
| CVE ID | CVE-2018-5843 |
| Title | Improper Restriction of Operations within the Bounds of a memory Buffer in WLAN |
| Description | In the function wma_pdev_div_info_evt_handler(), there is no upper bound check on the value event->num_chains_valid received from firmware which can lead to a buffer overwrite of the fixed size chain_rssi_result structure. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5850
| CVE ID | CVE-2018-5850 |
| Title | Improper Input Validation in WLAN |
| Description | In the function csr_update_fils_params_rso(), insufficient validation on a key length can result in an integer underflow leading to a buffer overflow |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2018-5851
| CVE ID | CVE-2018-5851 |
| Title | Improper Validation of Array Index in WLAN |
| Description | Buffer over flow can occur while processing a HTT_T2H_MSG_TYPE_TX_COMPL_IND message with an out-of-range num_msdus value |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2017-0399
| CVE ID | CVE-2017-0399 |
| Title | Improper Validation of Array Index in Audio |
| Description | An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBundle.cpp in libeffects in audioserver could enable a local malicious application to access data outside of its permission levels |
| Technology Area | Audio |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 4/11/2017 |
| Patch |
CVE-2017-0400
| CVE ID | CVE-2017-0400 |
| Title | Improper Validation of Array Index in Audio |
| Description | An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBundle.cpp in libeffects in audioserver could enable a local malicious application to access data outside of its permission levels |
| Technology Area | Audio |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 4/11/2017 |
| Patch |
CVE-2017-0401
| CVE ID | CVE-2017-0401 |
| Title | Improper Validation of Array Index in Audio |
| Description | Function equalizer_get_num_presets() does not check if the preset value is a negative number before using the value as an array index. This could result in an over-read |
| Technology Area | Audio |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 4/11/2017 |
| Patch |
CVE-2017-0402
| CVE ID | CVE-2017-0402 |
| Title | Improper Validation of Array Index in Audio |
| Description | An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBundle.cpp in libeffects in audioserver could enable a local malicious application to access data outside of its permission levels |
| Technology Area | Audio |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 4/11/2017 |
| Patch |
CVE-2017-15842
| CVE ID | CVE-2017-15842 |
| Title | Use After Free in Audio. |
| Description | Buffer might get used after it gets freed due to unlocking the mutex before freeing the buffer. |
| Technology Area | Audio |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 10/9/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2017-18165
| CVE ID | CVE-2017-18165 |
| Title | NULL Pointer Dereference in Audio |
| Description | In case of memory allocation failure, _vol_cmd_cnt is not reset. In _volume_cmds_free, NULL pointer dereference would happen for _vol_cmds[i] |
| Technology Area | Audio |
| Vulnerability Type | CWE-476 NULL Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-11086
| CVE ID | CVE-2017-11086 |
| Title | Improper Validation of Array Index in Camera |
| Description | In the camera driver, an out-of-bounds access can occur due to the same msm_sd_subdev being added into ordered_sd_list. |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/4/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
|
CVE-2017-11072
| CVE ID | CVE-2017-11072 |
| Title | Buffer Copy without Checking Size of Input in Boot |
| Description | While calculating CRC for GPT header fields with partition entries greater than 16384 buffer overflow occurs. |
| Technology Area | Boot |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/27/2017 |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-14871
| CVE ID | CVE-2017-14871 |
| Title | Information Exposure in Boot |
| Description | During the Meta image flashing, an integer overflow of the image header size which is passed as an argument to function HandleRawImageFlash() may potentially occur. |
| Technology Area | Boot |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/22/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-17768
| CVE ID | CVE-2017-17768 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | In multiple WiFI driver functions, integer overflows leading to heap buffer overflow may potentially occur. |
| Technology Area | Boot |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 10/13/2017 |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2017-18162
| CVE ID | CVE-2017-18162 |
| Title | Integer Overflow or Wraparound in Boot |
| Description | UNITN is used to store size of a buffer such as dataBytesReceived, mNumberDataBytes, and are further used in arithmetic expressions with UNIT32/UNIT64 makes the code vulnerable to integer overflows and truncation errors. |
| Technology Area | Boot |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2017-11039
| CVE ID | CVE-2017-11039 |
| Title | Buffer Over-read in Camera |
| Description | In msm_actuator, a kernel out-of-bounds access could potentially occur due to invalid actuator operation and unexpected behavior in lens movement. |
| Technology Area | Camera |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/9/2016 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-11077
| CVE ID | CVE-2017-11077 |
| Title | Use After Free in Camera |
| Description | A race condition exists in the camera driver due to the lack of a fine-grained locking mechanism in vb2 operations. |
| Technology Area | Camera |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/10/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-15857
| CVE ID | CVE-2017-15857 |
| Title | Improper Validation of Array Index in Camera |
| Description | In the camera driver, an out-of-bounds access can occur due to an error in copying region params from userspace. |
| Technology Area | Camera |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 8/30/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2015-8215
| CVE ID | CVE-2015-8215 |
| Title | Improper Input Validation in Data |
| Description | The current code does not restrict the MTU being set by a user application. A remote user can send a malformed RA with a very low or very high MTU. The user application without proper checks can set the wrong MTU using proc values, which can stop packet flow. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | AdjacentNetwork |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-14880
| CVE ID | CVE-2017-14880 |
| Title | Time-of-check Time-of-use (TOCTOU) Race Condition in Data |
| Description | While IPA WAN-driver is processing multiple requests from modem/user-space module, the global variable “num_q6_rule” does not have a mutex lock and thus can be accessed and modified by multiple threads. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 7/14/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-14904
| CVE ID | CVE-2017-14904 |
| Title | Use of Out-of-range Pointer Offset in Display |
| Description | A crafted binder request can cause an arbitrary unmap in MediaServer. |
| Technology Area | Display |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 8/15/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2017-15827
| CVE ID | CVE-2017-15827 |
| Title | Possible buffer overflow when dsi commands are sent from dsi sysfs node |
| Description | A buffer overflow can potentially occur when trying to process the dsi on commands in mdss_dsi_cmd_flush as there is no check for length of string coming from the user. |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/1/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-17769
| CVE ID | CVE-2017-17769 |
| Title | Information Exposure in Audio |
| Description | Information leakage can occur in the audio driver. |
| Technology Area | Display |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 8/1/2017 |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2017-18154
| CVE ID | CVE-2017-18154 |
| Title | Use of Out-of-range Pointer Offset in Display |
| Description | A crafted binder request can cause an arbitrary unmap in MediaServer. |
| Technology Area | Display |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 8/15/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2017-18161
| CVE ID | CVE-2017-18161 |
| Title | NULL Pointer Dereference in Display |
| Description | NULL pointer dereference can occur display because the parameters which are assumed to have been configured in the normal scenario are accessed without checking. |
| Technology Area | Display |
| Vulnerability Type | CWE-476 NULL Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/10/2017 |
| Patch |
CVE-2017-18164
| CVE ID | CVE-2017-18164 |
| Title | NULL Pointer Dereference in Display |
| Description | NULL pointer dereference could occur if post-processing ioctl (MSMFB_MDP_PP) is used to read/write calibration data using NULL pipe pointer. |
| Technology Area | Display |
| Vulnerability Type | CWE-476 NULL Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-18166
| CVE ID | CVE-2017-18166 |
| Title | Improper Input Validation in Display |
| Description | Improper input validation of input config->len in mdss_mdp_igc_lut_config() can lead to buffer overflow |
| Technology Area | Display |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 4/11/2017 |
| Patch |
CVE-2017-18167
| CVE ID | CVE-2017-18167 |
| Title | Uncontrolled Resource Consumption in Display |
| Description | Possible Memory leak issue in compat path of display driver |
| Technology Area | Display |
| Vulnerability Type | CWE-400 Uncontrolled Resource Consumption (‘Resource Exhaustion’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2015-0235
| CVE ID | CVE-2015-0235 |
| Title | Buffer Copy Without Checking Size of Input in OE |
| Description | Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka “GHOST |
| Technology Area | OE |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Network |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-11037
| CVE ID | CVE-2017-11037 |
| Title | Time-of-check Time-of-use (TOCTOU) Race Condition in Core |
| Description | When multiple entities access the /sys/kernel/debug/pc_debug_counter simultaneously, a Use After Free condition can occur. |
| Technology Area | Power |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/6/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2015-3847
| CVE ID | CVE-2015-3847 |
| Title | Improper Access Control on Bluetooth |
| Description | A vulnerability in Android’s Bluetooth component could allow a local application to delete stored SMS messages. |
| Technology Area | Security |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2017-11065
| CVE ID | CVE-2017-11065 |
| Title | Improper Validation of Array Index in Core |
| Description | The user supplied acd offset is not verified to be within the acd register range which could lead to out-of-bounds read/write. |
| Technology Area | SoC Infrastructure |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/2/2017 |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-15843
| CVE ID | CVE-2017-15843 |
| Title | Double Free in msm_bus_floor_vote_context() |
| Description | Due to a race condition in a bus driver, a double free in msm_bus_floor_vote_context() can potentially occur. |
| Technology Area | SoC Infrastructure |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/15/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2017-18163
| CVE ID | CVE-2017-18163 |
| Title | Information Exposure in Boot |
| Description | Improper Handling of memory allocation failure scenario may lead to unauthorized access and decryption of MDTP data |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2014-9940
| CVE ID | CVE-2014-9940 |
| Title | Possible Use After Free in regulator_ena_gpio_free |
| Description | In the regulator_ena_gpio_free routine, the loop could access the pin after freeing it |
| Technology Area | Stability |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2016-2454
| CVE ID | CVE-2016-2454 |
| Title | Improper Input Validation in Video Hardware |
| Description | Remote attackers can cause a denial of service (reboot) in hardware video codec via a crafted file |
| Technology Area | Video |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Network |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2017-11070
| CVE ID | CVE-2017-11070 |
| Title | Use After Free in Video |
| Description | Input buffer is accessed in one thread and can be potentially freed in another. |
| Technology Area | Video |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 6/9/2017 |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-17767
| CVE ID | CVE-2017-17767 |
| Title | Use After Free in Video |
| Description | The IL client may free a buffer OMX Video Encoder Component and then subsequently access the already freed buffer. |
| Technology Area | Video |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/19/2017 |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2017-11036
| CVE ID | CVE-2017-11036 |
| Title | Buffer Over-read in WIGIG |
| Description | While sending Tx management frame through debug-fs, a buffer overflow occurs if an invalid length is provided. |
| Technology Area | WIGIG |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/2/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-0464
| CVE ID | CVE-2017-0464 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Buffer overflow can occur when processing a QCA_NL80211_VENDOR_SUBCMD_GSCAN_SET_SSID_HOTLIST cfg80211 vendor command where an instance of the QCA_WLAN_VENDOR_ATTR_GSCAN_SSID_THRESHOLD_PARAM_SSID attribute exceeds the documented maximum size |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 8/25/2016 |
| Customer Notified Date | 8/7/2017 |
| Patch |
|
CVE-2017-11068
| CVE ID | CVE-2017-11068 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | In the function rrmProcessBeaconReportReq(), if the total number of channels (across all the channel lists) in the beacon report request exceeds 8, a heap-based buffer overflow can potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 5/9/2017 |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-11083
| CVE ID | CVE-2017-11083 |
| Title | Buffer Over-read in WLAN |
| Description | Request ID in __wlan_hdd_cfg80211_set_epno_list is improperly attributed to the enum QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID , which is part of the attributes corresponding to extscan configuration. This results to an invalid input validation while validating the request id in wlan_hdd_cfg80211_set_epno_list as this enum value represents to a different set in qca_wlan_vendor_attr_pno_config_params . |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/2/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-11084
| CVE ID | CVE-2017-11084 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | If the extn capabilities, which are user-controlled, has size greater than the maximum supported, a buffer overflow can potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/14/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-11094
| CVE ID | CVE-2017-11094 |
| Title | Buffer Over-read in WLAN |
| Description | In case where access point is sending challenge text greater than 128 bytes, a buffer over-read can potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 5/14/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-11095
| CVE ID | CVE-2017-11095 |
| Title | Stack-based Buffer Overflow in WLAN |
| Description | Due to the lack of a boundary check for “pIe->arraybound”, a stack overflow can potentially occur in the WiFi driver function “sirConvertReassocReqFrame2Struct”. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 5/2/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-14883
| CVE ID | CVE-2017-14883 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | In the function wma_unified_power_debug_stats_event_handler(), if the value param_buf->num_debug_register received from the FW command buffer is close to max of uint32, then the computation performed using this variable to calculate stats_registers_len may overflow to a smaller value leading to less than required memory allocated for power_stats_results and potentially a buffer overflow while copying the FW buffer to local buffer. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/13/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-14884
| CVE ID | CVE-2017-14884 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | Due to lack of bounds checking on the variable “data_len” from the function WLANQCMBR_McProcessMsg(), a buffer overflow may potentially occur in WLANFTM_McProcessMsg(). |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/14/2017 |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-14888
| CVE ID | CVE-2017-14888 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | In the function limProcessUpdateAddIEs(), userspace can pass IEs to the host driver and if multiple append commands are received, then the integer variable that stores the length can overflow and the subsequent copy of the IE data may potentially lead to a heap buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/21/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-15819
| CVE ID | CVE-2017-15819 |
| Title | Stack-based Buffer Overflow in WLAN |
| Description | In WLAN, a stack-based buffer overflow vulnerability may potentially occur while processing an encrypted AUTH Frame. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/6/2017 |
| Patch |
CVE-2017-15832
| CVE ID | CVE-2017-15832 |
| Title | Buffer overwrite due to improper input validation in WLAN host |
| Description | Buffer overwrite in the WLAN host driver by leveraging a compromised WLAN FW |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/15/2017 |
| Customer Notified Date | 12/4/2017 |
| Patch |
CVE-2017-15835
| CVE ID | CVE-2017-15835 |
| Title | Loop with Unreachable Exit Condition in WLAN |
| Description | While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-835 Loop with Unreachable Exit Condition (‘Infinite Loop’) |
| Access Vector | AdjacentNetwork |
| Security Rating | Medium |
| Date Reported | 8/23/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2017-15854
| CVE ID | CVE-2017-15854 |
| Title | Interger Overflow to Buffer Overflow in WLAN |
| Description | The value of fix_param->num_chans is received from firmware and if it is too large, an integer overflow can occur in wma_radio_chan_stats_event_handler() for the derived length len leading to a subsequent buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/15/2017 |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2017-17772
| CVE ID | CVE-2017-17772 |
| Title | Multiple buffer overread vulnerabilities in WLAN |
| Description | In multiple functions that process 802.11 frames, out-of-bounds reads can occur due to insufficient validation. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | 11/17/2017 |
| Customer Notified Date | 2/5/2018 |
| Patch |
CVE-2017-18070
| CVE ID | CVE-2017-18070 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | In wma_ndp_end_response_event_handler(), the variable len_end_rsp is a uint32 which can be overflowed if the value of variable “event->num_ndp_end_rsp_per_ndi_list” is very large which can then lead to a heap overwrite of the heap object end_rsp. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 9/14/2017 |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2017-18168
| CVE ID | CVE-2017-18168 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Buffer overrun vulnerability while processing get chain RSSI vendor command |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2016-6716
| CVE ID | CVE-2016-6716 |
| Title | Improper Acess Control in AOSP Launcher |
| Description | An elevation of privilege vulnerability in the AOSP Launcher could allow a local malicious application to create shortcuts that have elevated privileges without the user’s consent |
| Technology Area | Android UI |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
|
CVE-2017-0781
| CVE ID | CVE-2017-0781 |
| Title | Incorrect Calculation of Buffer Size in Bluetooth |
| Description | An incorrect buffer size is calculated when BT_HDR is included and memory can leak when BNEP control frames are pulled in fragments. |
| Technology Area | Bluetooth HOST |
| Vulnerability Type | CWE-131 Incorrect Calculation of Buffer Size |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 12/4/2017 |
| Patch |
|
CVE-2017-11020
| CVE ID | CVE-2017-11020 |
| Title | Use After Free in Bluetooth |
| Description | When Bluetooth timeouts occur, sometimes alarm callback frees the alarm and tries to use it again. |
| Technology Area | Bluetooth HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | May 8, 2018 | Bulletin Published |
| 1.1 | April 1, 2019 | Upgraded CVE-2018-3565 from High to Critical |
| 1.2 | August 9, 2019 | Added links to CVE-2018-3565 |