CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%
In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use, another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address.
Vendor | Product | Version | CPE |
---|---|---|---|
qualcomm | fastconnect_6800_firmware | - | cpe:2.3:o:qualcomm:fastconnect_6800_firmware:-:*:*:*:*:*:*:* |
qualcomm | fastconnect_6800 | - | cpe:2.3:h:qualcomm:fastconnect_6800:-:*:*:*:*:*:*:* |
qualcomm | fastconnect_6900_firmware | - | cpe:2.3:o:qualcomm:fastconnect_6900_firmware:-:*:*:*:*:*:*:* |
qualcomm | fastconnect_6900 | - | cpe:2.3:h:qualcomm:fastconnect_6900:-:*:*:*:*:*:*:* |
qualcomm | fastconnect_7800_firmware | - | cpe:2.3:o:qualcomm:fastconnect_7800_firmware:-:*:*:*:*:*:*:* |
qualcomm | fastconnect_7800 | - | cpe:2.3:h:qualcomm:fastconnect_7800:-:*:*:*:*:*:*:* |
qualcomm | qca6391_firmware | - | cpe:2.3:o:qualcomm:qca6391_firmware:-:*:*:*:*:*:*:* |
qualcomm | qca6391 | - | cpe:2.3:h:qualcomm:qca6391:-:*:*:*:*:*:*:* |
qualcomm | qca6426_firmware | - | cpe:2.3:o:qualcomm:qca6426_firmware:-:*:*:*:*:*:*:* |
qualcomm | qca6426 | - | cpe:2.3:h:qualcomm:qca6426:-:*:*:*:*:*:*:* |
[
{
"defaultStatus": "unaffected",
"platforms": [
"Snapdragon Compute",
"Snapdragon Consumer IOT",
"Snapdragon Industrial IOT",
"Snapdragon Mobile",
"Snapdragon Wearables"
],
"product": "Snapdragon",
"vendor": "Qualcomm, Inc.",
"versions": [
{
"status": "affected",
"version": "FastConnect 6800"
},
{
"status": "affected",
"version": "FastConnect 6900"
},
{
"status": "affected",
"version": "FastConnect 7800"
},
{
"status": "affected",
"version": "QCA6391"
},
{
"status": "affected",
"version": "QCA6426"
},
{
"status": "affected",
"version": "QCA6436"
},
{
"status": "affected",
"version": "QCN9074"
},
{
"status": "affected",
"version": "QCS410"
},
{
"status": "affected",
"version": "QCS610"
},
{
"status": "affected",
"version": "SD865 5G"
},
{
"status": "affected",
"version": "Snapdragon 8 Gen 1 Mobile Platform"
},
{
"status": "affected",
"version": "Snapdragon 865 5G Mobile Platform"
},
{
"status": "affected",
"version": "Snapdragon 865+ 5G Mobile Platform (SM8250-AB)"
},
{
"status": "affected",
"version": "Snapdragon 870 5G Mobile Platform (SM8250-AC)"
},
{
"status": "affected",
"version": "Snapdragon X55 5G Modem-RF System"
},
{
"status": "affected",
"version": "Snapdragon XR2 5G Platform"
},
{
"status": "affected",
"version": "SW5100"
},
{
"status": "affected",
"version": "SW5100P"
},
{
"status": "affected",
"version": "SXR2130"
},
{
"status": "affected",
"version": "WCD9341"
},
{
"status": "affected",
"version": "WCD9370"
},
{
"status": "affected",
"version": "WCD9380"
},
{
"status": "affected",
"version": "WCN3660B"
},
{
"status": "affected",
"version": "WCN3680B"
},
{
"status": "affected",
"version": "WCN3950"
},
{
"status": "affected",
"version": "WCN3980"
},
{
"status": "affected",
"version": "WCN3988"
},
{
"status": "affected",
"version": "WSA8810"
},
{
"status": "affected",
"version": "WSA8815"
},
{
"status": "affected",
"version": "WSA8830"
},
{
"status": "affected",
"version": "WSA8835"
}
]
}
]