Qca6678Aq Firmware Security Vulnerabilities - July

CVE-2022-33271

Information disclosure due to buffer over-read in WLAN while parsing NMF frame.

CVE-2022-33275

Memory corruption due to improper validation of array index in WLAN HAL when received lm_itemNum is out of range.

CVE-2022-33277

Memory corruption in modem due to buffer copy without checking size of input while receiving WMI command.

CVE-2022-33306

Transient DOS due to buffer over-read in WLAN while processing an incoming management frame with incorrectly filled IEs.

CVE-2022-34145

Transient DOS due to buffer over-read in WLAN Host while parsing frame information.

CVE-2022-40512

Transient DOS in WLAN Firmware due to buffer over-read while processing probe response or beacon.

CVE-2022-40514

Memory corruption due to buffer copy without checking the size of input in WLAN Firmware while processing CCKM IE in reassoc response frame.

CVE-2022-40530

Memory corruption in WLAN due to integer overflow to buffer overflow in WLAN during initialization phase.

CVE-2022-40531

Memory corruption in WLAN due to incorrect type cast while sending WMI_SCAN_SCH_PRIO_TBL_CMDID message.

CVE-2022-40532

Memory corruption due to integer overflow or wraparound in WLAN while sending WMI cmd from host to target.

CVE-2023-21656

Memory corruption in WLAN HOST while receiving an WMI event from firmware.

CVE-2023-21658

Transient DOS in WLAN Firmware while processing the received beacon or probe response frame.

CVE-2023-21659

Transient DOS in WLAN Firmware while processing frames with missing header fields.

CVE-2023-28539

Memory corruption in WLAN Host when the firmware invokes multiple WMI Service Available command.

CVE-2023-28541

Memory Corruption in Data Modem while processing DMA buffer release event about CFR data.

CVE-2023-28548

Memory corruption in WLAN HAL while processing Tx/Rx commands from QDART.

CVE-2023-28549

Memory corruption in WLAN HAL while parsing Rx buffer in processing TLV payload.

CVE-2023-28550

Memory corruption in MPP performance while accessing DSM watermark using external memory address.

CVE-2023-28553

Information Disclosure in WLAN Host when processing WMI event command.

CVE-2023-28557

Memory corruption in WLAN HAL while processing command parameters from untrusted WMI payload.

CVE-2023-28558

Memory corruption in WLAN handler while processing PhyID in Tx status handler.

CVE-2023-28567

Memory corruption in WLAN HAL while handling command through WMI interfaces.

CVE-2023-28571

Information disclosure in WLAN HOST while processing the WLAN scan descriptor list during roaming scan.

CVE-2023-28572

Memory corruption in WLAN HOST while processing the WLAN scan descriptor list.

CVE-2023-28573

Memory corruption in WLAN HAL while parsing WMI command parameters.

CVE-2023-28587

Memory corruption in BT controller while parsing debug commands with specific sub-opcodes at HCI interface level.

CVE-2023-33015

Transient DOS in WLAN Firmware while interpreting MBSSID IE of a received beacon frame.

CVE-2023-33026

Transient DOS in WLAN Firmware while parsing a NAN management frame.

CVE-2023-33027

Transient DOS in WLAN Firmware while parsing rsn ies.

CVE-2023-33028

Memory corruption in WLAN Firmware while doing a memory copy of pmk cache.

CVE-2023-33047

Transient DOS in WLAN Firmware while parsing no-inherit IES.

CVE-2023-33062

Transient DOS in WLAN Firmware while parsing a BTM request.

CVE-2023-33080

Transient DOS while parsing a vender specific IE (Information Element) of reassociation response management frame.

CVE-2023-33088

Memory corruption when processing cmd parameters while parsing vdev.

CVE-2023-33089

Transient DOS when processing a NULL buffer while parsing WLAN vdev.

CVE-2023-33098

Transient DOS while parsing WPA IES, when it is passed with length more than expected size.

CVE-2023-33109

Transient DOS while processing a WMI P2P listen start command (0xD00A) sent from host.

CVE-2023-43511

Transient DOS while parsing IPv6 extension header when WLAN firmware receives an IPv6 packet that contains IPPROTO_NONE as the next header.

CVE-2023-43522

Transient DOS while key unwrapping process, when the given encrypted key is empty or NULL.

CVE-2023-43533

Transient DOS in WLAN Firmware when the length of received beacon is less than length of ieee802.11 beacon frame.

CVE-2023-43536

Transient DOS while parse fils IE with length equal to 1.

CVE-2024-21456

Information Disclosure while parsing beacon frame in STA.

CVE-2024-21457

INformation disclosure while handling Multi-link IE in beacon frame.

CVE-2024-21458

Information disclosure while handling SA query action frame.

CVE-2024-21461

Memory corruption while performing finish HMAC operation when context is freed by keymaster.

CVE-2024-21462

Transient DOS while loading the TA ELF file.

CVE-2024-21465

Memory corruption while processing key blob passed by the user.

CVE-2024-21466

Information disclosure while parsing sub-IE length during new IE generation.

CVE-2024-21469

Memory corruption when an invoke call and a TEE call are bound for the same trusted application.

CVE-2024-23368

Memory corruption when allocating and accessing an entry in an SMEM partition.