# April 2025 Security Bulletin

## Published: 04/07/2025

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices.
                This document includes (i) a description of security issues that have been addressed in QTI’s proprietary code and (ii) links to publicly available code where security issues have been addressed.

Please reach out to
                [securitybulletin@qti.qualcomm.com](mailto:securitybulletin@qti.qualcomm.com)
                for any questions related to this bulletin.

## Table of Contents

| Announcements |
| --- |
| Acknowledgements |
| Proprietary Software Issues |
| Open Source Software Issues |
| Industry Coordination |

##  Announcements 

None

## Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

| CVE-2024-45552 | kong (yikong) |
| --- | --- |
| CVE-2024-49848 | Seth Jenkins from Google Project Zero, Conghui Wang |
| CVE-2025-21421,CVE-2025-21434,CVE-2024-43058,CVE-2024-43067 | Heidada |
| CVE-2025-21435 | Conghui Wang (conghuiwang) |
| CVE-2024-43046 | Woven by Toyota, Inc Vincent Mailhol |
| CVE-2024-45540 | Zhenxiong Wu |
| CVE-2024-45543 | hhjjyy (hjy79425575) |
| CVE-2024-45544 | ayano23th (ayano23th) |

## Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table lists high impact security vulnerabilities.
                Patches are being actively shared with OEMs, who have been notified and strongly recommended to deploy those patches on released devices as soon as possible. 
                Please contact the device manufacturer for information on the patching status of released devices.

| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
| --- | --- | --- | --- | --- |
| CVE-2024-45551 | Critical | Medium | HLOS | Internal |
| CVE-2024-45556 | Critical | Medium | TZ Firmware | Internal |
| CVE-2025-21442 | Critical | High | Automotive Vehicle Networks | Internal |
| CVE-2025-21443 | Critical | High | Automotive Vehicle Networks | Internal |
| CVE-2024-33058 | High | High | Core | Internal |
| CVE-2024-43065 | High | High | HLOS | Internal |
| CVE-2024-45549 | High | High | KERNEL | Internal |
| CVE-2024-45552 | High | High | Data Network Stack & Connectivity | 06/03/2024 |
| CVE-2024-45557 | High | High | Trust Management Engine | Internal |
| CVE-2025-21421 | High | High | Display | 10/23/2024 |
| CVE-2025-21423 | High | High | Display | Internal |
| CVE-2025-21425 | High | High | Automotive Linux OS | Internal |
| CVE-2025-21431 | High | Medium | Automotive Software platform based on QNX | Internal |
| CVE-2025-21438 | High | High | Windows WLAN Host | Internal |
| CVE-2025-21439 | High | High | Windows WLAN Host | Internal |
| CVE-2025-21440 | High | High | Windows WLAN Host | Internal |
| CVE-2025-21441 | High | High | Windows WLAN Host | Internal |
| CVE-2025-21447 | High | High | Computer Vision | Internal |
| CVE-2025-21448 | High | High | WLAN Firmware | Internal |

This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
| --- | --- | --- | --- | --- |
| CVE-2024-43046 | Medium | Medium | TZ Secure OS | 08/15/2024 |

### CVE-2024-45551

| CVE ID | CVE-2024-45551 |
| --- | --- |
| Title | Weak Authentication in HLOS |
| Description | Cryptographic issue occurs during PIN/password verification using Gatekeeper, where RPMB writes can be dropped on verification failure, potentially leading to a user throttling bypass. |
| Technology Area | HLOS |
| Vulnerability Type | CWE-1390: Weak Authentication |
| Access Vector | Local |
| Security Rating | Critical |
| CVSS Rating | Medium |
| CVSS Score | 6.2 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Date Reported | Internal |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | AQT1000, AR8035, CSRA6620, CSRA6640, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, Flight RB5 5G Platform, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6174A, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6797AQ, QCA8081, QCA8337, QCC710, QCM2290, QCM4290, QCM4325, QCM4490, QCM5430, QCM6125, QCM6490, QCM8550, QCN6024, QCN6224, QCN6274, QCN7606, QCN9011, QCN9012, QCN9024, QCN9274, QCS2290, QCS4290, QCS4490, QCS5430, QCS6125, QCS6490, QCS7230, QCS8250, QCS8300, QCS8550, QCS9100, QDU1000, QDU1010, QDU1110, QDU1210, QDX1010, QDX1011, QEP8111, QFW7114, QFW7124, QMP1000, QRB5165M, QRB5165N, QRU1032, QRU1052, QRU1062, QSM8350, Qualcomm® Video Collaboration VC1 Platform, Qualcomm® Video Collaboration VC3 Platform, Qualcomm® Video Collaboration VC5 Platform, Robotics RB2 Platform, Robotics RB5 Platform, SA4150P, SA4155P, SA6145P, SA6150P, SA6155, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8255P, SA8295P, SA8530P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SC8380XP, SD 8 Gen1 5G, SD670, SD730, SD855, SD865 5G, SD888, SDX61, SG4150P, SG8275P, SM4125, SM4635, SM6250, SM6370, SM6650, SM7250P, SM7315, SM7325P, SM7635, SM7675, SM7675P, SM8550P, SM8635, SM8635P, SM8650Q, SM8735, SM8750, SM8750P, Smart Audio 400 Platform, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 4 Gen 2 Mobile Platform, Snapdragon 460 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 662 Mobile Platform, Snapdragon 665 Mobile Platform, Snapdragon 670 Mobile Platform, Snapdragon 675 Mobile Platform, Snapdragon 678 Mobile Platform (SM6150-AC), Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 690 5G Mobile Platform, Snapdragon 695 5G Mobile Platform, Snapdragon 710 Mobile Platform, Snapdragon 720G Mobile Platform, Snapdragon 730 Mobile Platform (SM7150-AA), Snapdragon 730G Mobile Platform (SM7150-AB), Snapdragon 732G Mobile Platform (SM7150-AC), Snapdragon 750G 5G Mobile Platform, Snapdragon 765 5G Mobile Platform (SM7250-AA), Snapdragon 765G 5G Mobile Platform (SM7250-AB), Snapdragon 768G 5G Mobile Platform (SM7250-AC), Snapdragon 778G 5G Mobile Platform, Snapdragon 778G+ 5G Mobile Platform (SM7325-AE), Snapdragon 780G 5G Mobile Platform, Snapdragon 782G Mobile Platform (SM7325-AF), Snapdragon 7c+ Gen 3 Compute, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 8 Gen 2 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 8+ Gen 1 Mobile Platform, Snapdragon 8+ Gen 2 Mobile Platform, Snapdragon 855 Mobile Platform, Snapdragon 855+/860 Mobile Platform (SM8150-AC), Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB), Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X35 5G Modem-RF System, Snapdragon X50 5G Modem-RF System, Snapdragon X55 5G Modem-RF System, Snapdragon X62 5G Modem-RF System, Snapdragon X65 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, Snapdragon XR1 Platform, Snapdragon XR2 5G Platform, Snapdragon XR2+ Gen 1 Platform, SRV1H, SRV1L, SRV1M, SSG2115P, SSG2125P, SW5100, SW5100P, SXR1120, SXR1230P, SXR2130, SXR2230P, SXR2250P, SXR2330P, TalynPlus, WCD9326, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN6450, WCN6650, WCN6740, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2024-45556

| CVE ID | CVE-2024-45556 |
| --- | --- |
| Title | Improper Access Control for Register Interface in TZ Firmware |
| Description | Cryptographic issue may arise because the access control configuration permits Linux to read key registers in TCSR. |
| Technology Area | TZ Firmware |
| Vulnerability Type | CWE-1262: Improper Access Control for Register Interface |
| Access Vector | Local |
| Security Rating | Critical |
| CVSS Rating | Medium |
| CVSS Score | 6.5 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| Date Reported | Internal |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | FastConnect 6900, FastConnect 7800, Immersive Home 3210 Platform, Immersive Home 326 Platform, IPQ5300, IPQ5302, IPQ5312, IPQ5332, IPQ9008, IPQ9048, IPQ9554, IPQ9570, IPQ9574, QCA0000, QCA8075, QCA8081, QCA8082, QCA8084, QCA8085, QCA8386, QCF8000, QCF8000SFP, QCF8001, QCN5124, QCN6224, QCN6402, QCN6412, QCN6422, QCN6432, QCN9000, QCN9012, QCN9013, QCN9024, QCN9074, QCN9160, QCN9274, QXM8083, SD 8 Gen1 5G, SDM429W, SDX65M, Snapdragon 429 Mobile Platform, Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon Wear 4100+ Platform, Snapdragon X65 5G Modem-RF System, SSG2115P, SSG2125P, SXR1230P, SXR2230P, SXR2250P, WCD9380, WCD9385, WCN3620, WCN3660B, WCN3680B, WCN3980, WSA8830, WSA8832, WSA8835 |

### CVE-2025-21442

| CVE ID | CVE-2025-21442 |
| --- | --- |
| Title | Integer Overflow to Buffer Overflow in Automotive Vehicle Networks |
| Description | Memory corruption while transmitting packet mapping information with invalid header payload size. |
| Technology Area | Automotive Vehicle Networks |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Critical |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6574AU, QCA6595, QCA6595AU, QCA6688AQ, QCA6696, QCA6698AQ, SA7255P, SA7775P, SA8255P, SA8295P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SRV1H, SRV1L, SRV1M |

### CVE-2025-21443

| CVE ID | CVE-2025-21443 |
| --- | --- |
| Title | Buffer Copy Without Checking Size of Input (`Classic Buffer Overflow`) in Automotive Vehicle Networks |
| Description | Memory corruption while processing message content in eAVB. |
| Technology Area | Automotive Vehicle Networks |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | Critical |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6688AQ, QCA6696, QCA6698AQ, SA6145P, SA6150P, SA6155, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8255P, SA8295P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SRV1H, SRV1L, SRV1M |

### CVE-2024-33058

| CVE ID | CVE-2024-33058 |
| --- | --- |
| Title | Insufficient Granularity of Access Control in Core |
| Description | Memory corruption while assigning memory from the source DDR memory(HLOS) to ADSP. |
| Technology Area | Core |
| Vulnerability Type | CWE-1220: Insufficient Granularity of Access Control |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | AQT1000, AR8035, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6174A, QCA6310, QCA6335, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6797AQ, QCA8081, QCA8337, QCA9377, QCC710, QCM5430, QCM6490, QCM8550, QCN6224, QCN6274, QCN9274, QCS5430, QCS6490, QCS8300, QCS8550, QCS9100, QDU1000, QDU1010, QDU1110, QDU1210, QDX1010, QDX1011, QEP8111, QFW7114, QFW7124, QMP1000, QRU1032, QRU1052, QRU1062, QSM8350, Qualcomm® Video Collaboration VC3 Platform, Robotics RB3 Platform, SA6145P, SA6155, SA6155P, SA7255P, SA7775P, SA8150P, SA8155, SA8155P, SA8255P, SA8295P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SC8380XP, SD 675, SD 8 Gen1 5G, SD 8CX, SD670, SD675, SD855, SD865 5G, SDX55, SDX57M, SDX80M, SM4635, SM6650, SM7250P, SM7635, SM7675, SM7675P, SM8635, SM8635P, SM8650Q, SM8735, SM8750, SM8750P, Snapdragon 670 Mobile Platform, Snapdragon 675 Mobile Platform, Snapdragon 678 Mobile Platform (SM6150-AC), Snapdragon 765 5G Mobile Platform (SM7250-AA), Snapdragon 765G 5G Mobile Platform (SM7250-AB), Snapdragon 768G 5G Mobile Platform (SM7250-AC), Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 845 Mobile Platform, Snapdragon 850 Mobile Compute Platform, Snapdragon 855 Mobile Platform, Snapdragon 855+/860 Mobile Platform (SM8150-AC), Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon 8c Compute Platform (SC8180X-AD) "Poipu Lite", Snapdragon 8c Compute Platform (SC8180XP-AD) "Poipu Lite", Snapdragon 8cx Compute Platform (SC8180X-AA, AB), Snapdragon 8cx Compute Platform (SC8180XP-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180X-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180XP-AA, AB), Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB), Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon X24 LTE Modem, Snapdragon X35 5G Modem-RF System, Snapdragon X50 5G Modem-RF System, Snapdragon X55 5G Modem-RF System, Snapdragon X62 5G Modem-RF System, Snapdragon X65 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, Snapdragon XR2 5G Platform, SRV1H, SRV1L, SRV1M, SSG2115P, SSG2125P, SXR1230P, SXR2130, SXR2330P, Vision Intelligence 300 Platform, Vision Intelligence 400 Platform, WCD9326, WCD9340, WCD9341, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3950, WCN3980, WCN3988, WCN3990, WCN6450, WCN6650, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2024-43065

| CVE ID | CVE-2024-43065 |
| --- | --- |
| Title | Exposed Dangerous Method or Function in HLOS |
| Description | Cryptographic issues while generating an asymmetric key pair for RKP use cases. |
| Technology Area | HLOS |
| Vulnerability Type | CWE-749: Exposed Dangerous Method or Function |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.1 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| Date Reported | Internal |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | AR8035, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6174A, QCA6391, QCA6421, QCA6426, QCA6431, QCA6436, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6797AQ, QCA8081, QCA8337, QCC710, QCM4325, QCM5430, QCM6490, QCM8550, QCN6224, QCN6274, QCN9274, QCS5430, QCS6490, QCS8300, QCS8550, QCS9100, QDU1000, QDU1010, QDU1110, QDU1210, QDX1010, QDX1011, QEP8111, QFW7114, QFW7124, QMP1000, QRU1032, QRU1052, QRU1062, QSM8350, Qualcomm® Video Collaboration VC3 Platform, SA4150P, SA4155P, SA6145P, SA6150P, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155P, SA8195P, SA8255P, SA8295P, SA8530P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SC8380XP, SD 8 Gen1 5G, SD865 5G, SDM429W, SG4150P, SM4635, SM6650, SM7250P, SM7635, SM7675, SM7675P, SM8635, SM8635P, SM8650Q, SM8735, SM8750, SM8750P, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 429 Mobile Platform, Snapdragon 460 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 662 Mobile Platform, Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 695 5G Mobile Platform, Snapdragon 765 5G Mobile Platform (SM7250-AA), Snapdragon 765G 5G Mobile Platform (SM7250-AB), Snapdragon 768G 5G Mobile Platform (SM7250-AC), Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB), Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon Wear 4100+ Platform, Snapdragon X35 5G Modem-RF System, Snapdragon X55 5G Modem-RF System, Snapdragon X62 5G Modem-RF System, Snapdragon X65 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, Snapdragon XR2 5G Platform, SRV1H, SRV1L, SRV1M, SXR2130, SXR2330P, WCD9340, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3620, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WCN6450, WCN6650, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2024-45549

| CVE ID | CVE-2024-45549 |
| --- | --- |
| Title | Exposure of Sensitive System Information to an Unauthorized Control Sphere in KERNEL |
| Description | Information disclosure while creating MQ channels. |
| Technology Area | KERNEL |
| Vulnerability Type | CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Date Reported | Internal |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | AR8035, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6174A, QCA6391, QCA6421, QCA6426, QCA6431, QCA6436, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6797AQ, QCA8081, QCA8337, QCC710, QCM4490, QCM8550, QCN6024, QCN6224, QCN6274, QCN9011, QCN9012, QCN9024, QCN9274, QCS4490, QCS7230, QCS8250, QCS8300, QCS8550, QCS9100, QDU1000, QDU1010, QDU1110, QDU1210, QDX1010, QDX1011, QEP8111, QFW7114, QFW7124, QMP1000, QRU1032, QRU1052, QRU1062, QSM8250, Qualcomm® Video Collaboration VC5 Platform, SA7255P, SA7775P, SA8255P, SA8295P, SA8530P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SC8380XP, SD 8 Gen1 5G, SD865 5G, SDM429W, SDX55, SDX61, SDX71M, SDX80M, SG8275P, SM4635, SM6650, SM7635, SM7675, SM7675P, SM8550P, SM8635, SM8635P, SM8650Q, SM8735, SM8750, SM8750P, Snapdragon 4 Gen 2 Mobile Platform, Snapdragon 429 Mobile Platform, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 8 Gen 2 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 8+ Gen 1 Mobile Platform, Snapdragon 8+ Gen 2 Mobile Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB), Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon Wear 4100+ Platform, Snapdragon X35 5G Modem-RF System, Snapdragon X55 5G Modem-RF System, Snapdragon X62 5G Modem-RF System, Snapdragon X65 5G Modem-RF System, Snapdragon X70 Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, Snapdragon XR2 5G Platform, Snapdragon XR2+ Gen 1 Platform, SRV1H, SRV1L, SRV1M, SSG2115P, SSG2125P, SXR1230P, SXR2130, SXR2230P, SXR2250P, SXR2330P, TalynPlus, WCD9340, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3620, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WCN6450, WCN6650, WCN6740, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2024-45552

| CVE ID | CVE-2024-45552 |
| --- | --- |
| Title | Buffer Over-read in Data Network Stack & Connectivity |
| Description | Information disclosure may occur during a video call if a device resets due to a non-conforming RTCP packet that doesn’t adhere to RFC standards. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.2 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L |
| Date Reported | 2024/06/03 |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | APQ8064AU, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, MSM8108, MSM8209, MSM8608, MSM8909W, MSM8996AU, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6310, QCA6320, QCA6335, QCA6391, QCA6426, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCA6698AQ, QCA6797AQ, QCM6125, QCM6490, QCS410, QCS610, QCS6125, QCS6490, Qualcomm 205 Mobile Platform, Qualcomm 215 Mobile Platform, Qualcomm® Video Collaboration VC1 Platform, Qualcomm® Video Collaboration VC3 Platform, Robotics RB3 Platform, SA4150P, SA4155P, SA6145P, SA6150P, SA6155, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8255P, SA8295P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SD626, SD660, SD835, SD865 5G, SDM429W, SG4150P, SM4125, SM6370, SM8550P, Smart Audio 200 Platform, Smart Display 200 Platform (APQ5053-AA), Snapdragon 208 Processor, Snapdragon 210 Processor, Snapdragon 212 Mobile Platform, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 429 Mobile Platform, Snapdragon 460 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 625 Mobile Platform, Snapdragon 626 Mobile Platform, Snapdragon 660 Mobile Platform, Snapdragon 662 Mobile Platform, Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 695 5G Mobile Platform, Snapdragon 8 Gen 2 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 8+ Gen 1 Mobile Platform, Snapdragon 8+ Gen 2 Mobile Platform, Snapdragon 820 Automotive Platform, Snapdragon 835 Mobile PC Platform, Snapdragon 845 Mobile Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon Wear 2100 Platform, Snapdragon Wear 2500 Platform, Snapdragon Wear 3100 Platform, Snapdragon X55 5G Modem-RF System, Snapdragon XR1 Platform, Snapdragon XR2 5G Platform, SRV1H, SRV1L, SRV1M, SW5100, SW5100P, SXR1120, SXR2130, Vision Intelligence 100 Platform (APQ8053-AA), Vision Intelligence 200 Platform (APQ8053-AC), Vision Intelligence 400 Platform, WCD9326, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCD9390, WCD9395, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WSA8810, WSA8815, WSA8830, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2024-45557

| CVE ID | CVE-2024-45557 |
| --- | --- |
| Title | Use of Out-of-range Pointer Offset in Trust Management Engine |
| Description | Memory corruption can occur when TME processes addresses from TZ and MPSS requests without proper validation. |
| Technology Area | Trust Management Engine |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | AR8035, FastConnect 6700, FastConnect 6900, FastConnect 7800, QCA6174A, QCA6584AU, QCA6698AQ, QCA8081, QCA8337, QCC710, QCM4490, QCN6224, QCN6274, QCS4490, QDU1000, QDU1010, QDU1110, QDU1210, QDX1010, QDX1011, QEP8111, QFW7114, QFW7124, QRU1032, QRU1052, QRU1062, SC8380XP, SD 8 Gen1 5G, SM8635, Snapdragon 4 Gen 2 Mobile Platform, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 8+ Gen 1 Mobile Platform, Snapdragon AR2 Gen 1 Platform, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon X35 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, SSG2115P, SSG2125P, SXR1230P, SXR2230P, TalynPlus, WCD9340, WCD9370, WCD9375, WCD9380, WCD9385, WCD9390, WCD9395, WCN3950, WCN3988, WCN6755, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2025-21421

| CVE ID | CVE-2025-21421 |
| --- | --- |
| Title | Buffer Over-read in Display |
| Description | Memory corruption while processing escape code in API. |
| Technology Area | Display |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2024/10/23 |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | AQT1000, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, QCA6391, QCA6420, QCA6430, QCM5430, QCM6490, QCS5430, QCS6490, Qualcomm® Video Collaboration VC3 Platform, SC8180X+SDX55, SC8380XP, SM6250, Snapdragon 7c Compute Platform (SC7180-AC), Snapdragon 7c Gen 2 Compute Platform (SC7180-AD) "Rennell Pro", Snapdragon 7c+ Gen 3 Compute, Snapdragon 8c Compute Platform (SC8180X-AD) "Poipu Lite", Snapdragon 8c Compute Platform (SC8180XP-AD) "Poipu Lite", Snapdragon 8cx Compute Platform (SC8180X-AA, AB), Snapdragon 8cx Compute Platform (SC8180XP-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180X-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180XP-AA, AB), Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB), WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WSA8810, WSA8815, WSA8830, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2025-21423

| CVE ID | CVE-2025-21423 |
| --- | --- |
| Title | Improper Validation of Array Index in Display |
| Description | Memory corruption occurs when handling client calls to EnableTestMode through an Escape call. |
| Technology Area | Display |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | AQT1000, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, QCA6391, QCA6420, QCA6430, QCM5430, QCM6490, QCS5430, QCS6490, Qualcomm® Video Collaboration VC3 Platform, SC8180X+SDX55, SC8380XP, SM6250, Snapdragon 7c Compute Platform (SC7180-AC), Snapdragon 7c Gen 2 Compute Platform (SC7180-AD) "Rennell Pro", Snapdragon 7c+ Gen 3 Compute, Snapdragon 8c Compute Platform (SC8180X-AD) "Poipu Lite", Snapdragon 8c Compute Platform (SC8180XP-AD) "Poipu Lite", Snapdragon 8cx Compute Platform (SC8180X-AA, AB), Snapdragon 8cx Compute Platform (SC8180XP-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180X-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180XP-AA, AB), Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB), WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WSA8810, WSA8815, WSA8830, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2025-21425

| CVE ID | CVE-2025-21425 |
| --- | --- |
| Title | Improper Access Control in Automotive Linux OS |
| Description | Memory corruption may occur due top improper access control in HAB process. |
| Technology Area | Automotive Linux OS |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.3 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6574AU, QCA6595, QCA6595AU, QCA6688AQ, QCA6696, QCA6698AQ, SA6145P, SA6150P, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155P, SA8195P, SA8255P, SA8295P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SRV1H, SRV1L, SRV1M |

### CVE-2025-21431

| CVE ID | CVE-2025-21431 |
| --- | --- |
| Title | Time-of-check Time-of-use (TOCTOU) Race Condition in Automotive OS Platform |
| Description | Information disclosure may be there when a guest VM is connected. |
| Technology Area | Automotive Software platform based on QNX |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | Medium |
| CVSS Score | 5.5 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6688AQ, QCA6696, QCA6698AQ, SA6145P, SA6150P, SA6155, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8255P, SA8295P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SRV1H, SRV1L, SRV1M |

### CVE-2025-21438

| CVE ID | CVE-2025-21438 |
| --- | --- |
| Title | Out-of-bounds Read in Windows WLAN Host |
| Description | Memory corruption while IOCTL call is invoked from user-space to read board data. |
| Technology Area | Windows WLAN Host |
| Vulnerability Type | CWE-125: Out-of-bounds Read |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | FastConnect 6200, FastConnect 6700, FastConnect 6900, FastConnect 7800, QCA6164, QCA6174, QCA6174A, QCA6595AU, QCA9377, QCM5430, QCM6490, QCN7605, QCN7606, QCS5430, QCS6490, Qualcomm® Video Collaboration VC3 Platform, SC8180X+SDX55, SC8380XP, SM6250, Snapdragon 7c Compute Platform (SC7180-AC), Snapdragon 7c Gen 2 Compute Platform (SC7180-AD) "Rennell Pro", Snapdragon 7c+ Gen 3 Compute, Snapdragon 8c Compute Platform (SC8180X-AD) "Poipu Lite", Snapdragon 8c Compute Platform (SC8180XP-AD) "Poipu Lite", Snapdragon 8cx Compute Platform (SC8180X-AA, AB), Snapdragon 8cx Compute Platform (SC8180XP-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180X-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180XP-AA, AB), Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB), WCD9370, WCD9375, WCD9380, WCD9385, WSA8830, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2025-21439

| CVE ID | CVE-2025-21439 |
| --- | --- |
| Title | Out-of-bounds Read in Windows WLAN Host |
| Description | Memory corruption may occur while reading board data via IOCTL call when the WLAN driver copies the content to the provided output buffer. |
| Technology Area | Windows WLAN Host |
| Vulnerability Type | CWE-787: Out-of-bounds Write |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | FastConnect 6700, FastConnect 6900, QCA6595AU, QCM5430, QCM6490, QCN7605, QCN7606, QCS5430, QCS6490, Qualcomm® Video Collaboration VC3 Platform, SC8180X+SDX55, Snapdragon 8c Compute Platform (SC8180X-AD) "Poipu Lite", Snapdragon 8c Compute Platform (SC8180XP-AD) "Poipu Lite", Snapdragon 8cx Compute Platform (SC8180X-AA, AB), Snapdragon 8cx Compute Platform (SC8180XP-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180X-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180XP-AA, AB), WCD9370, WCD9375, WCD9380, WCD9385 |

### CVE-2025-21440

| CVE ID | CVE-2025-21440 |
| --- | --- |
| Title | Out-of-bounds Read in Windows WLAN Host |
| Description | Memory corruption when IOCTL call is invoked from user-space to write board data to WLAN driver. |
| Technology Area | Windows WLAN Host |
| Vulnerability Type | CWE-787: Out-of-bounds Write |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | AQT1000, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, QCA1062, QCA1064, QCA2062, QCA2064, QCA2065, QCA2066, QCA6391, QCA6420, QCA6430, QCC2073, QCC2076, QCM5430, QCM6490, QCS5430, QCS6490, Qualcomm® Video Collaboration VC3 Platform, SC8180X+SDX55, SC8380XP, SM6250, Snapdragon 7c Compute Platform (SC7180-AC), Snapdragon 7c Gen 2 Compute Platform (SC7180-AD) "Rennell Pro", Snapdragon 7c+ Gen 3 Compute, Snapdragon 8c Compute Platform (SC8180X-AD) "Poipu Lite", Snapdragon 8c Compute Platform (SC8180XP-AD) "Poipu Lite", Snapdragon 8cx Compute Platform (SC8180X-AA, AB), Snapdragon 8cx Compute Platform (SC8180XP-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180X-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180XP-AA, AB), WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WSA8810, WSA8815, WSA8840, WSA8845, WSA8845H |

### CVE-2025-21441

| CVE ID | CVE-2025-21441 |
| --- | --- |
| Title | Out-of-bounds Read in Windows WLAN Host |
| Description | Memory corruption when IOCTL call is invoked from user-space to write board data to WLAN driver. |
| Technology Area | Windows WLAN Host |
| Vulnerability Type | CWE-787: Out-of-bounds Write |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | AQT1000, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, QCA1062, QCA1064, QCA2062, QCA2064, QCA2065, QCA2066, QCA6391, QCA6420, QCA6430, QCC2073, QCC2076, QCM5430, QCM6490, QCS5430, QCS6490, Qualcomm® Video Collaboration VC3 Platform, SC8180X+SDX55, SC8380XP, SM6250, Snapdragon 7c Compute Platform (SC7180-AC), Snapdragon 7c Gen 2 Compute Platform (SC7180-AD) "Rennell Pro", Snapdragon 7c+ Gen 3 Compute, Snapdragon 8c Compute Platform (SC8180X-AD) "Poipu Lite", Snapdragon 8c Compute Platform (SC8180XP-AD) "Poipu Lite", Snapdragon 8cx Compute Platform (SC8180X-AA, AB), Snapdragon 8cx Compute Platform (SC8180XP-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180X-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180XP-AA, AB), WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WSA8810, WSA8815, WSA8840, WSA8845, WSA8845H |

### CVE-2025-21447

| CVE ID | CVE-2025-21447 |
| --- | --- |
| Title | Improper Validation of Array Index in Computer Vision |
| Description | Memory corruption may occur while processing device IO control call for session control. |
| Technology Area | Computer Vision |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | FastConnect 6900, FastConnect 7800, SC8380XP, WCD9380, WCD9385, WSA8840, WSA8845, WSA8845H |

### CVE-2025-21448

| CVE ID | CVE-2025-21448 |
| --- | --- |
| Title | Buffer Over-read in WLAN Firmware |
| Description | Transient DOS may occur while parsing SSID in action frames. |
| Technology Area | WLAN Firmware |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | 315 5G IoT Modem, AQT1000, AR8035, AR9380, CSR8811, CSRB31024, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, Flight RB5 5G Platform, Immersive Home 214 Platform, Immersive Home 216 Platform, Immersive Home 316 Platform, Immersive Home 318 Platform, IPQ5010, IPQ5028, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071A, IPQ8072A, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, IPQ9554, IPQ9570, IPQ9574, PMP8074, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA0000, QCA1062, QCA1064, QCA2062, QCA2064, QCA2065, QCA2066, QCA4024, QCA6174A, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6554A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6777AQ, QCA6787AQ, QCA6797AQ, QCA8072, QCA8075, QCA8081, QCA8337, QCA9886, QCA9888, QCA9889, QCA9980, QCA9984, QCA9985, QCA9986, QCA9990, QCA9992, QCA9994, QCC2073, QCC2076, QCC710, QCM4490, QCM5430, QCM6490, QCM8550, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN6023, QCN6024, QCN6100, QCN6102, QCN6112, QCN6122, QCN6132, QCN6224, QCN6274, QCN9000, QCN9001, QCN9002, QCN9003, QCN9011, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCN9274, QCS4490, QCS5430, QCS6490, QCS7230, QCS8250, QCS8300, QCS8550, QCS9100, QEP8111, QFW7114, QFW7124, QMP1000, QRB5165M, QRB5165N, QSM8250, QSM8350, Qualcomm® Video Collaboration VC3 Platform, Qualcomm® Video Collaboration VC5 Platform, Robotics RB5 Platform, SA4150P, SA6145P, SA6150P, SA6155, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8255P, SA8295P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SC8180X+SDX55, SC8380XP, SD 8 Gen1 5G, SD865 5G, SD888, SDX55, SDX61, SG8275P, SM6650, SM7315, SM7325P, SM7635, SM7675, SM7675P, SM8550P, SM8635, SM8635P, SM8650Q, SM8735, SM8750, SM8750P, Snapdragon 778G 5G Mobile Platform, Snapdragon 778G+ 5G Mobile Platform (SM7325-AE), Snapdragon 780G 5G Mobile Platform, Snapdragon 782G Mobile Platform (SM7325-AF), Snapdragon 7c+ Gen 3 Compute, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 8 Gen 2 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 8+ Gen 1 Mobile Platform, Snapdragon 8+ Gen 2 Mobile Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon 8c Compute Platform (SC8180X-AD) "Poipu Lite", Snapdragon 8c Compute Platform (SC8180XP-AD) "Poipu Lite", Snapdragon 8cx Compute Platform (SC8180X-AA, AB), Snapdragon 8cx Compute Platform (SC8180XP-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180X-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180XP-AA, AB), Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB), Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon Auto 5G Modem-RF, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon X35 5G Modem-RF System, Snapdragon X55 5G Modem-RF System, Snapdragon X62 5G Modem-RF System, Snapdragon X65 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, Snapdragon XR2 5G Platform, Snapdragon XR2+ Gen 1 Platform, Snapdragon Auto 4G Modem, SRV1H, SRV1L, SRV1M, SSG2115P, SSG2125P, SXR1230P, SXR2130, SXR2230P, SXR2250P, SXR2330P, WCD9340, WCD9341, WCD9360, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3950, WCN3980, WCN6450, WCN6650, WCN6740, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |

### CVE-2024-43046

| CVE ID | CVE-2024-43046 |
| --- | --- |
| Title | Information Exposure in TZ Secure OS |
| Description | There may be information disclosure during memory re-allocation in TZ Secure OS. |
| Technology Area | TZ Secure OS |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 5.5 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Date Reported | 2024/08/15 |
| Customer Notified Date | 2024/12/02 |
| Affected Chipsets\* | 315 5G IoT Modem, 9205 LTE Modem, AQT1000, AR8031, AR8035, CSR8811, CSRA6620, CSRA6640, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, Immersive Home 3210 Platform, Immersive Home 326 Platform, IPQ5300, IPQ5302, IPQ5312, IPQ5332, IPQ6000, IPQ6005, IPQ6010, IPQ6018, IPQ6028, IPQ9008, IPQ9048, IPQ9554, IPQ9570, IPQ9574, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA0000, QCA4004, QCA4024, QCA6174A, QCA6310, QCA6335, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6797AQ, QCA8072, QCA8075, QCA8081, QCA8082, QCA8084, QCA8085, QCA8337, QCA8386, QCA9377, QCA9984, QCC710, QCF8000, QCF8000SFP, QCF8001, QCM2290, QCM4290, QCM4490, QCM5430, QCM6490, QCM8550, QCN5021, QCN5022, QCN5052, QCN5121, QCN5122, QCN5124, QCN5152, QCN6023, QCN6024, QCN6224, QCN6274, QCN6402, QCN6412, QCN6422, QCN6432, QCN7606, QCN9000, QCN9011, QCN9012, QCN9013, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9160, QCN9274, QCS2290, QCS4290, QCS4490, QCS5430, QCS6490, QCS8300, QCS8550, QCS9100, QDU1000, QDU1010, QDU1110, QDU1210, QDX1010, QDX1011, QEP8111, QFW7114, QFW7124, QMP1000, QRU1032, QRU1052, QRU1062, QSM8250, QSM8350, Qualcomm® Video Collaboration VC3 Platform, QXM8083, Robotics RB2 Platform, Robotics RB3 Platform, SA6145P, SA6155, SA6155P, SA7255P, SA7775P, SA8150P, SA8155, SA8155P, SA8255P, SA8295P, SA8530P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SC8380XP, SD 675, SD 8 Gen1 5G, SD 8CX, SD460, SD662, SD670, SD675, SD855, SD865 5G, SD888, SDM429W, SDX55, SDX57M, SDX61, SDX65M, SDX71M, SDX80M, SG8275P, SM4125, SM4635, SM6370, SM6650, SM7250P, SM7315, SM7325P, SM7635, SM7675, SM7675P, SM8550P, SM8635, SM8635P, SM8650Q, SM8735, SM8750, SM8750P, Smart Audio 400 Platform, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 4 Gen 2 Mobile Platform, Snapdragon 429 Mobile Platform, Snapdragon 460 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 662 Mobile Platform, Snapdragon 665 Mobile Platform, Snapdragon 670 Mobile Platform, Snapdragon 675 Mobile Platform, Snapdragon 678 Mobile Platform (SM6150-AC), Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 690 5G Mobile Platform, Snapdragon 695 5G Mobile Platform, Snapdragon 750G 5G Mobile Platform, Snapdragon 765 5G Mobile Platform (SM7250-AA), Snapdragon 765G 5G Mobile Platform (SM7250-AB), Snapdragon 768G 5G Mobile Platform (SM7250-AC), Snapdragon 778G 5G Mobile Platform, Snapdragon 778G+ 5G Mobile Platform (SM7325-AE), Snapdragon 780G 5G Mobile Platform, Snapdragon 782G Mobile Platform (SM7325-AF), Snapdragon 7c+ Gen 3 Compute, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 8 Gen 2 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 8+ Gen 1 Mobile Platform, Snapdragon 8+ Gen 2 Mobile Platform, Snapdragon 845 Mobile Platform, Snapdragon 850 Mobile Compute Platform, Snapdragon 855 Mobile Platform, Snapdragon 855+/860 Mobile Platform (SM8150-AC), Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon 8c Compute Platform (SC8180X-AD) "Poipu Lite", Snapdragon 8c Compute Platform (SC8180XP-AD) "Poipu Lite", Snapdragon 8cx Compute Platform (SC8180X-AA, AB), Snapdragon 8cx Compute Platform (SC8180XP-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180X-AC, AF) "Poipu Pro", Snapdragon 8cx Gen 2 5G Compute Platform (SC8180XP-AA, AB), Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB), Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon Auto 5G Modem-RF, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon Wear 1300 Platform, Snapdragon Wear 4100+ Platform, Snapdragon X24 LTE Modem, Snapdragon X35 5G Modem-RF System, Snapdragon X50 5G Modem-RF System, Snapdragon X55 5G Modem-RF System, Snapdragon X62 5G Modem-RF System, Snapdragon X65 5G Modem-RF System, Snapdragon X70 Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, Snapdragon XR2 5G Platform, Snapdragon XR2+ Gen 1 Platform, SRV1H, SRV1L, SRV1M, SSG2115P, SSG2125P, SXR1230P, SXR2130, SXR2230P, SXR2250P, SXR2330P, TalynPlus, Vision Intelligence 300 Platform, Vision Intelligence 400 Platform, WCD9306, WCD9326, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3620, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3999, WCN6450, WCN6650, WCN6740, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |

\*The list of affected chipsets may not be complete.
                For latest information, device OEMs can contact QTI directly at [www.qualcomm.com/support](https://www.qualcomm.com/support).

## Open Source Software Issues

The tables below summarize security vulnerabilities that were addressed through open source software

This table lists high impact security vulnerabilities.
                Patches are being actively shared with OEMs, who have been notified and strongly recommended to deploy those patches on released devices as soon as possible.
                Please contact the device manufacturer for information on the patching status of released devices.

| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
| --- | --- | --- | --- | --- |
| CVE-2024-43066 | High | High | HLOS | Internal |
| CVE-2024-49848 | High | Medium | DSP Service |  |
| CVE-2025-21428 | High | High | WLAN Host | 08/30/2024 |
| CVE-2025-21429 | High | High | WLAN Host | 08/30/2024 |
| CVE-2025-21430 | High | High | WLAN Host | 08/30/2024 |
| CVE-2025-21434 | High | High | WLAN Host | 09/01/2024 |
| CVE-2025-21435 | High | High | WLAN Host Communication | 09/12/2024 |
| CVE-2025-21436 | High | High | DSP Service | Internal |
| CVE-2025-21437 | High | High | Automotive Linux OS | Internal |

This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
| --- | --- | --- | --- | --- |
| CVE-2024-43058 | Medium | High | Multimedia Frameworks | 03/19/2024 |
| CVE-2024-43067 | Medium | High | Camera Driver | 03/15/2024 |
| CVE-2024-45540 | Medium | Medium | HLOS | 05/07/2024 |
| CVE-2024-45543 | Medium | Medium | Audio | 05/06/2024 |
| CVE-2024-45544 | Medium | Medium | Data Network Stack & Connectivity | 05/16/2024 |

### CVE-2024-43066

| CVE ID | CVE-2024-43066 |
| --- | --- |
| Title | Use After Free in HLOS |
| Description | Memory corruption while handling file descriptor during listener registration/de-registration. |
| Technology Area | HLOS |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | CSRB31024, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, MDM9650, QAM8295P, QCA6310, QCA6335, QCA6391, QCA6426, QCA6436, QCA6564, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6696, QCA6698AQ, QCM6490, QCS410, QCS610, QCS6490, QCS8550, Qualcomm 205 Mobile Platform, Qualcomm® Video Collaboration VC1 Platform, Qualcomm® Video Collaboration VC3 Platform, Robotics RB3 Platform, SA4150P, SA4155P, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8295P, SD660, SD865 5G, SDM429W, SG4150P, SM4125, SM6370, Snapdragon 210 Processor, Snapdragon 212 Mobile Platform, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 429 Mobile Platform, Snapdragon 460 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 660 Mobile Platform, Snapdragon 662 Mobile Platform, Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 695 5G Mobile Platform, Snapdragon 820 Automotive Platform, Snapdragon 845 Mobile Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon Auto 5G Modem-RF, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X55 5G Modem-RF System, Snapdragon XR1 Platform, Snapdragon XR2 5G Platform, Snapdragon Auto 4G Modem, SW5100, SW5100P, SXR1120, SXR2130, Vision Intelligence 400 Platform, WCD9326, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3620, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WSA8810, WSA8815, WSA8830, WSA8835 |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/kernel/msm-4.9/-/commit/a344210dd83697277fbbd391a6d4f126b32d97c3" target="_blank">https://git.codelinaro.org/clo/la/kernel/msm-4.9/-/commit/a344210dd83697277fbbd391a6d4f126b32d97c3</a><br>                                       </li></ul> |

### CVE-2024-49848

| CVE ID | CVE-2024-49848 |
| --- | --- |
| Title | Use After Free in DSP Service |
| Description | Memory corruption while processing multiple IOCTL calls from HLOS to DSP. |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2024-07-24, 2024-08-28 |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | AR8035, FastConnect 6200, FastConnect 6700, FastConnect 6900, FastConnect 7800, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6174A, QCA6391, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6797AQ, QCA8081, QCA8337, QCC710, QCM4325, QCM4490, QCM6125, QCM8550, QCN6224, QCN6274, QCN9011, QCN9012, QCS4490, QCS6125, QCS7230, QCS8250, QCS8550, QDU1000, QDU1010, QDU1110, QDU1210, QDX1010, QDX1011, QEP8111, QFW7114, QFW7124, QMP1000, QRU1032, QRU1052, QRU1062, Qualcomm® Video Collaboration VC1 Platform, Qualcomm® Video Collaboration VC5 Platform, SA6155P, SA7255P, SA7775P, SA8155P, SA8195P, SA8255P, SA8295P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SD 8 Gen1 5G, SG4150P, SG8275P, SM4635, SM6650, SM7635, SM7675, SM7675P, SM8550P, SM8635, SM8635P, SM8650Q, SM8735, SM8750, SM8750P, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 4 Gen 2 Mobile Platform, Snapdragon 460 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 662 Mobile Platform, Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 695 5G Mobile Platform, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 8 Gen 2 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 8+ Gen 1 Mobile Platform, Snapdragon 8+ Gen 2 Mobile Platform, Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X35 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, SRV1H, SRV1L, SRV1M, SSG2115P, SSG2125P, SW5100, SW5100P, SXR1230P, SXR2230P, SXR2250P, TalynPlus, Vision Intelligence 400 Platform, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3950, WCN3980, WCN3988, WCN3990, WCN6450, WCN6650, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/kernel/msm-5.10/-/commit/dff7593179b189f0ea55f0ad6ff2a153ffacf5b9" target="_blank">https://git.codelinaro.org/clo/la/kernel/msm-5.10/-/commit/dff7593179b189f0ea55f0ad6ff2a153ffacf5b9</a><br>                                       </li></ul> |

### CVE-2025-21428

| CVE ID | CVE-2025-21428 |
| --- | --- |
| Title | Buffer Over-read in WLAN Host |
| Description | Memory corruption occurs while connecting a STA to an AP and initiating an ADD TS request from the AP to establish a TSpec session. |
| Technology Area | WLAN Host |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | 2024/08/30 |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | 9206 LTE Modem, APQ8017, AR8031, C-V2X 9150, CSRA6620, CSRA6640, FastConnect 6200, FastConnect 6900, MDM9250, MDM9628, MDM9640, MDM9650, MSM8996AU, QCA6174, QCA6174A, QCA6175A, QCA6554A, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA9367, QCA9377, QCA9379, QCM2150, QEP8111, Qualcomm 205 Mobile Platform, Qualcomm 215 Mobile Platform, SA2150P, SD626, SDM429W, Smart Audio 200 Platform, Smart Audio 400 Platform, Smart Display 200 Platform (APQ5053-AA), Snapdragon 1200 Wearable Platform, Snapdragon 210 Processor, Snapdragon 212 Mobile Platform, Snapdragon 425 Mobile Platform, Snapdragon 429 Mobile Platform, Snapdragon 439 Mobile Platform, Snapdragon 625 Mobile Platform, Snapdragon 626 Mobile Platform, Snapdragon 632 Mobile Platform, Snapdragon 820 Automotive Platform, Snapdragon Auto 5G Modem-RF, Snapdragon X12 LTE Modem, Snapdragon X35 5G Modem-RF System, Snapdragon X5 LTE Modem, Vision Intelligence 100 Platform (APQ8053-AA), Vision Intelligence 200 Platform (APQ8053-AC), WCD9326, WCD9330, WCD9335, WCD9340, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680, WCN3680B, WCN3980, WSA8810, WSA8815 |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/-/commit/d9dcb91ab404e04abc2f7170346f715c19024454<br>" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/-/commit/d9dcb91ab404e04abc2f7170346f715c19024454<br></a><br>                                       </li><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/-/commit/da6bd86c2bf46205de116f7b612399dbf914ce29" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/-/commit/da6bd86c2bf46205de116f7b612399dbf914ce29</a><br>                                       </li></ul> |

### CVE-2025-21429

| CVE ID | CVE-2025-21429 |
| --- | --- |
| Title | Buffer Over-read in WLAN Host |
| Description | Memory corruption occurs while connecting a STA to an AP and initiating an ADD TS request. |
| Technology Area | WLAN Host |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | 2024/08/30 |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | 9206 LTE Modem, APQ8017, APQ8064AU, AQT1000, AR8035, C-V2X 9150, CSRA6620, CSRA6640, CSRB31024, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, MDM9250, MDM9628, MDM9640, MDM9650, MSM8996AU, QAM8255P, QAM8650P, QAM8775P, QCA6174A, QCA6175A, QCA6391, QCA6420, QCA6421, QCA6426, QCA6430, QCA6431, QCA6436, QCA6554A, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6696, QCA6698AQ, QCA6777AQ, QCA6787AQ, QCA6797AQ, QCA8081, QCA8337, QCA9367, QCA9377, QCC2073, QCC2076, QCM2290, QCM4290, QCM5430, QCM6125, QCM6490, QCN6024, QCN9024, QCN9074, QCS2290, QCS410, QCS4290, QCS5430, QCS610, QCS6125, QCS6490, Qualcomm 205 Mobile Platform, Qualcomm® Video Collaboration VC1 Platform, Qualcomm® Video Collaboration VC3 Platform, SA2150P, SA4150P, SA4155P, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8530P, SA8540P, SA9000P, SD626, SD660, SD670, SD730, SD855, SD865 5G, SDM429W, SDX55, SDX61, SM4125, SM6250, SM6370, Smart Audio 200 Platform, Smart Audio 400 Platform, Smart Display 200 Platform (APQ5053-AA), Snapdragon 1200 Wearable Platform, Snapdragon 210 Processor, Snapdragon 212 Mobile Platform, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 429 Mobile Platform, Snapdragon 460 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 625 Mobile Platform, Snapdragon 626 Mobile Platform, Snapdragon 660 Mobile Platform, Snapdragon 662 Mobile Platform, Snapdragon 670 Mobile Platform, Snapdragon 675 Mobile Platform, Snapdragon 678 Mobile Platform (SM6150-AC), Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 695 5G Mobile Platform, Snapdragon 710 Mobile Platform, Snapdragon 720G Mobile Platform, Snapdragon 730 Mobile Platform (SM7150-AA), Snapdragon 730G Mobile Platform (SM7150-AB), Snapdragon 732G Mobile Platform (SM7150-AC), Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 8+ Gen 1 Mobile Platform, Snapdragon 820 Automotive Platform, Snapdragon 855 Mobile Platform, Snapdragon 855+/860 Mobile Platform (SM8150-AC), Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon Auto 5G Modem-RF, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X24 LTE Modem, Snapdragon X5 LTE Modem, Snapdragon X50 5G Modem-RF System, Snapdragon X55 5G Modem-RF System, Snapdragon X62 5G Modem-RF System, Snapdragon X65 5G Modem-RF System, Snapdragon XR1 Platform, Snapdragon XR2 5G Platform, Snapdragon XR2+ Gen 1 Platform, Snapdragon Auto 4G Modem, SW5100, SW5100P, SXR1120, SXR2130, SXR2230P, SXR2250P, Vision Intelligence 100 Platform (APQ8053-AA), Vision Intelligence 200 Platform (APQ8053-AC), WCD9326, WCD9330, WCD9335, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCD9390, WCD9395, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/prima/-/commit/c289e8c5b71a829cf2edfcc3ea771cead1be42b7<br>" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/prima/-/commit/c289e8c5b71a829cf2edfcc3ea771cead1be42b7<br></a><br>                                       </li><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/commit/685e5c9a53e754d4eb67211ed5ec7b4144bbfcd1 " target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/commit/685e5c9a53e754d4eb67211ed5ec7b4144bbfcd1 </a><br>                                       </li><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/prima/-/commit/eb025c00a7e68d58afb5e7885a32b20db13cff39" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/prima/-/commit/eb025c00a7e68d58afb5e7885a32b20db13cff39</a><br>                                       </li></ul> |

### CVE-2025-21430

| CVE ID | CVE-2025-21430 |
| --- | --- |
| Title | Buffer Over-read in WLAN Host |
| Description | Transient DOS while connecting STA to AP and initiating ADD TS request from AP to establish TSpec session. |
| Technology Area | WLAN Host |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | 2024/08/30 |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | 315 5G IoT Modem, APQ8017, APQ8064AU, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, FastConnect 6200, FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, Flight RB5 5G Platform, MDM9628, MDM9640, MSM8996AU, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6174A, QCA6175A, QCA6310, QCA6320, QCA6335, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6554A, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6777AQ, QCA6787AQ, QCA6797AQ, QCA8081, QCA8337, QCA9367, QCA9377, QCC2073, QCC2076, QCC710, QCM2290, QCM4290, QCM5430, QCM6125, QCM6490, QCM8550, QCN6024, QCN6224, QCN6274, QCN9011, QCN9012, QCN9024, QCN9074, QCN9274, QCS2290, QCS410, QCS4290, QCS5430, QCS610, QCS6125, QCS615, QCS6490, QCS7230, QCS8250, QCS8300, QCS8550, QCS9100, QEP8111, QFW7114, QFW7124, QRB5165M, QRB5165N, Qualcomm 205 Mobile Platform, Qualcomm® Video Collaboration VC1 Platform, Qualcomm® Video Collaboration VC3 Platform, Qualcomm® Video Collaboration VC5 Platform, Robotics RB3 Platform, Robotics RB5 Platform, SA2150P, SA4150P, SA4155P, SA6145P, SA6150P, SA6155, SA6155P, SA7255P, SA7775P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SA8255P, SA8295P, SA8530P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SD 8 Gen1 5G, SD660, SD730, SD835, SD855, SD865 5G, SDM429W, SDX55, SDX61, SG4150P, SG8275P, SM4125, SM4635, SM6250, SM7250P, SM8550P, Smart Audio 400 Platform, Snapdragon 210 Processor, Snapdragon 212 Mobile Platform, Snapdragon 429 Mobile Platform, Snapdragon 460 Mobile Platform, Snapdragon 660 Mobile Platform, Snapdragon 662 Mobile Platform, Snapdragon 675 Mobile Platform, Snapdragon 678 Mobile Platform (SM6150-AC), Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 690 5G Mobile Platform, Snapdragon 720G Mobile Platform, Snapdragon 730 Mobile Platform (SM7150-AA), Snapdragon 730G Mobile Platform (SM7150-AB), Snapdragon 732G Mobile Platform (SM7150-AC), Snapdragon 750G 5G Mobile Platform, Snapdragon 765 5G Mobile Platform (SM7250-AA), Snapdragon 765G 5G Mobile Platform (SM7250-AB), Snapdragon 768G 5G Mobile Platform (SM7250-AC), Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 8 Gen 2 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 8+ Gen 1 Mobile Platform, Snapdragon 8+ Gen 2 Mobile Platform, Snapdragon 820 Automotive Platform, Snapdragon 835 Mobile PC Platform, Snapdragon 845 Mobile Platform, Snapdragon 855 Mobile Platform, Snapdragon 855+/860 Mobile Platform (SM8150-AC), Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon Auto 5G Modem-RF, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X35 5G Modem-RF System, Snapdragon X5 LTE Modem, Snapdragon X50 5G Modem-RF System, Snapdragon X55 5G Modem-RF System, Snapdragon X62 5G Modem-RF System, Snapdragon X65 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, Snapdragon XR1 Platform, Snapdragon XR2 5G Platform, Snapdragon XR2+ Gen 1 Platform, Snapdragon Auto 4G Modem, SRV1H, SRV1L, SRV1M, SW5100, SW5100P, SXR1120, SXR2130, SXR2230P, SXR2250P, WCD9326, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3610, WCN3620, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/commit/c4cbf1d319b852ac06bef4ca692de81e1b9b3c8e<br>" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/commit/c4cbf1d319b852ac06bef4ca692de81e1b9b3c8e<br></a><br>                                       </li><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/prima/-/commit/c289e8c5b71a829cf2edfcc3ea771cead1be42b7" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/prima/-/commit/c289e8c5b71a829cf2edfcc3ea771cead1be42b7</a><br>                                       </li></ul> |

### CVE-2025-21434

| CVE ID | CVE-2025-21434 |
| --- | --- |
| Title | Buffer Over-read in WLAN Host |
| Description | Transient DOS may occur while parsing EHT operation IE or EHT capability IE. |
| Technology Area | WLAN Host |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | 2024/09/01 |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | AR8035, FastConnect 6700, FastConnect 6900, FastConnect 7800, QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6391, QCA6554A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA6777AQ, QCA6787AQ, QCA6797AQ, QCA8081, QCA8337, QCC2073, QCC2076, QCC710, QCM5430, QCM6490, QCM8550, QCN6224, QCN6274, QCN9011, QCN9012, QCN9274, QCS5430, QCS615, QCS6490, QCS7230, QCS8250, QCS8300, QCS8550, QCS9100, QFW7114, QFW7124, QMP1000, Qualcomm® Video Collaboration VC3 Platform, Qualcomm® Video Collaboration VC5 Platform, SA6155P, SA7255P, SA7775P, SA8155P, SA8195P, SA8255P, SA8295P, SA8530P, SA8540P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SG8275P, SM6650, SM7635, SM7675, SM7675P, SM8550P, SM8635, SM8635P, SM8650Q, SM8735, SM8750, SM8750P, Snapdragon 8 Gen 2 Mobile Platform, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 8+ Gen 2 Mobile Platform, Snapdragon AR1 Gen 1 Platform, Snapdragon AR1 Gen 1 Platform "Luna1", Snapdragon AR2 Gen 1 Platform, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, SRV1H, SRV1L, SRV1M, SSG2115P, SSG2125P, SXR1230P, SXR2230P, SXR2250P, SXR2330P, Vision Intelligence 400 Platform, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3990, WCN6650, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/commit/94ff823de3bd4986c6f4a62581e1296dd50c0da8" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/commit/94ff823de3bd4986c6f4a62581e1296dd50c0da8</a><br>                                       </li></ul> |

### CVE-2025-21435

| CVE ID | CVE-2025-21435 |
| --- | --- |
| Title | Buffer Over-read in WLAN Host Communication |
| Description | Transient DOS may occur while parsing extended IE in beacon. |
| Technology Area | WLAN Host Communication |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.5 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Date Reported | 2024/09/12 |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | AR8035, CSR8811, FastConnect 6800, FastConnect 6900, FastConnect 7800, Immersive Home 214 Platform, Immersive Home 216 Platform, Immersive Home 316 Platform, Immersive Home 318 Platform, Immersive Home 3210 Platform, Immersive Home 326 Platform, IPQ5010, IPQ5028, IPQ5300, IPQ5302, IPQ5312, IPQ5332, IPQ6000, IPQ6010, IPQ6018, IPQ6028, IPQ8070A, IPQ8071A, IPQ8072A, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, IPQ9008, IPQ9048, IPQ9554, IPQ9570, IPQ9574, QAM8255P, QAM8650P, QAM8775P, QCA4024, QCA6391, QCA6421, QCA6426, QCA6431, QCA6436, QCA6554A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6678AQ, QCA6696, QCA6698AQ, QCA6777AQ, QCA6787AQ, QCA6797AQ, QCA8075, QCA8081, QCA8082, QCA8084, QCA8085, QCA8337, QCA8386, QCA9888, QCA9889, QCC2073, QCC2076, QCC710, QCF8000, QCF8000SFP, QCF8001, QCN5022, QCN5024, QCN5052, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN6023, QCN6024, QCN6112, QCN6122, QCN6132, QCN6224, QCN6274, QCN6402, QCN6412, QCN6422, QCN6432, QCN9000, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCN9160, QCN9274, QFW7114, QFW7124, QMP1000, QXM8083, SA6155P, SA8155P, SA8195P, SDX55, SDX65M, SM8735, SM8750, SM8750P, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon X55 5G Modem-RF System, Snapdragon X65 5G Modem-RF System, Snapdragon X72 5G Modem-RF System, Snapdragon X75 5G Modem-RF System, SW5100, SW5100P, SXR2330P, WCD9340, WCD9378, WCD9380, WCD9385, WCD9390, WCD9395, WCN3980, WCN3988, WCN6450, WCN6755, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/-/commit/5c4757fa56e39e217064ae44d1d91c7ea0ba2b7e" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/-/commit/5c4757fa56e39e217064ae44d1d91c7ea0ba2b7e</a><br>                                       </li></ul> |

### CVE-2025-21436

| CVE ID | CVE-2025-21436 |
| --- | --- |
| Title | Use After Free in DSP Service |
| Description | Memory corruption may occur while initiating two IOCTL calls simultaneously to create processes from two different threads. |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | FastConnect 7800, QMP1000, SM8735, SM8750, SM8750P, Snapdragon 8 Gen 3 Mobile Platform, Snapdragon W5+ Gen 1 Wearable Platform, SW5100, SW5100P, SXR2330P, WCD9378, WCD9380, WCD9390, WCD9395, WCN7750, WCN7860, WCN7861, WCN7880, WCN7881, WSA8830, WSA8832, WSA8835, WSA8840, WSA8845, WSA8845H |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom/opensource/dsp-kernel/-/commit/d773536ae72f899be041e8e4683d0270de20f3b5" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom/opensource/dsp-kernel/-/commit/d773536ae72f899be041e8e4683d0270de20f3b5</a><br>                                       </li></ul> |

### CVE-2025-21437

| CVE ID | CVE-2025-21437 |
| --- | --- |
| Title | Use After Free in Automotive Linux OS |
| Description | Memory corruption while processing memory map or unmap IOCTL operations simultaneously. |
| Technology Area | Automotive Linux OS |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 2025/01/06 |
| Affected Chipsets\* | QAM8255P, QAM8295P, QAM8620P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, QCA6574, QCA6574A, QCA6574AU, QCA6595, QCA6595AU, QCA6688AQ, QCA6696, QCA6698AQ, QCA6797AQ, SA6155P, SA7255P, SA7775P, SA8155P, SA8195P, SA8255P, SA8295P, SA8620P, SA8650P, SA8770P, SA8775P, SA9000P, SRV1H, SRV1L, SRV1M |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom/opensource/platform-kernel/-/commit/96578dab9fe7202ed225d7900e8272e5ad99cb0e" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom/opensource/platform-kernel/-/commit/96578dab9fe7202ed225d7900e8272e5ad99cb0e</a><br>                                       </li></ul> |

### CVE-2024-43058

| CVE ID | CVE-2024-43058 |
| --- | --- |
| Title | Incorrect Type Conversion or Cast in Multimedia Frameworks |
| Description | Memory corruption while processing IOCTL calls. |
| Technology Area | Multimedia Frameworks |
| Vulnerability Type | CWE-704 Incorrect Type Conversion or Cast |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2024/03/19 |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | FastConnect 6900, FastConnect 7800, Snapdragon 8 Gen 1 Mobile Platform, WCD9380, WSA8830, WSA8835 |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/le/platform/vendor/opensource/synx-kernel/-/commit/3e3fd3b8cf2359dfde1638080d827309be882d71" target="_blank">https://git.codelinaro.org/clo/le/platform/vendor/opensource/synx-kernel/-/commit/3e3fd3b8cf2359dfde1638080d827309be882d71</a><br>                                       </li></ul> |

### CVE-2024-43067

| CVE ID | CVE-2024-43067 |
| --- | --- |
| Title | Time-of-check Time-of-use (TOCTOU) Race Condition in Camera |
| Description | Memory corruption occurs during the copying of read data from the EEPROM because the IO configuration is exposed as shared memory. |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | High |
| CVSS Score | 7.8 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 2024/03/15 |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | C-V2X 9150, FastConnect 6800, FastConnect 6900, FastConnect 7800, QAM8295P, QCA6391, QCA6426, QCA6436, QCA6574AU, QCA6696, QCN9074, QCS410, QCS610, QSM8250, Qualcomm® Video Collaboration VC1 Platform, Qualcomm® Video Collaboration VC3 Platform, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SA8295P, SA8530P, SA8540P, SA9000P, SD865 5G, SDM429W, SDX55, Snapdragon 429 Mobile Platform, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X55 5G Modem-RF System, Snapdragon XR2 5G Platform, SW5100, SW5100P, SXR2130, SXR2230P, SXR2250P, WCD9341, WCD9370, WCD9380, WCD9385, WCN3620, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835 |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/opensource/camera-kernel/-/commit/304b1be21d887eb9f072d69a0d95204bc98e4fe8<br>" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/opensource/camera-kernel/-/commit/304b1be21d887eb9f072d69a0d95204bc98e4fe8<br></a><br>                                       </li><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/kernel/msm-4.14/-/commit/228832dc1661d226f39ca0bff9847d51ba8e1e78<br>" target="_blank">https://git.codelinaro.org/clo/la/kernel/msm-4.14/-/commit/228832dc1661d226f39ca0bff9847d51ba8e1e78<br></a><br>                                       </li><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/kernel/msm-4.14/-/commit/042dac157ca1056072b30ecaf4b59ec447f8ad5f" target="_blank">https://git.codelinaro.org/clo/la/kernel/msm-4.14/-/commit/042dac157ca1056072b30ecaf4b59ec447f8ad5f</a><br>                                       </li></ul> |

### CVE-2024-45540

| CVE ID | CVE-2024-45540 |
| --- | --- |
| Title | Use After Free in HLOS |
| Description | Memory corruption while invoking IOCTL map buffer request from userspace. |
| Technology Area | HLOS |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.6 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L |
| Date Reported | 2024/05/07 |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | C-V2X 9150, FastConnect 6200, FastConnect 6800, FastConnect 6900, FastConnect 7800, QAM8295P, QCA6174A, QCA6391, QCA6426, QCA6436, QCA6574AU, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA9367, QCA9377, QCN9074, QCS410, QCS610, QSM8250, Qualcomm® Video Collaboration VC1 Platform, Qualcomm® Video Collaboration VC3 Platform, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SA8295P, SA8530P, SA8540P, SA9000P, SD865 5G, SDX55, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 695 5G Mobile Platform, Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X55 5G Modem-RF System, Snapdragon XR2 5G Platform, SW5100, SW5100P, SXR2130, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WSA8810, WSA8815, WSA8830, WSA8835 |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/kernel/msm-5.10/-/commit/98dd344161ad4050838755a71236d2597d8f65cb<br>" target="_blank">https://git.codelinaro.org/clo/la/kernel/msm-5.10/-/commit/98dd344161ad4050838755a71236d2597d8f65cb<br></a><br>                                       </li><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom/opensource/securemsm-kernel/-/commit/080c4a1d5e5d0cd2a6744a22e2d7969566c4150f<br>" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom/opensource/securemsm-kernel/-/commit/080c4a1d5e5d0cd2a6744a22e2d7969566c4150f<br></a><br>                                       </li><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/qcom/opensource/securemsm-kernel/-/commit/43d6c99a0e101f4bb7081b72f7fcb42c5d973de6" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/qcom/opensource/securemsm-kernel/-/commit/43d6c99a0e101f4bb7081b72f7fcb42c5d973de6</a><br>                                       </li></ul> |

### CVE-2024-45543

| CVE ID | CVE-2024-45543 |
| --- | --- |
| Title | Out-of-bounds Write in Audio |
| Description | Memory corruption while accessing MSM channel map and mixer functions. |
| Technology Area | Audio |
| Vulnerability Type | CWE-787: Out-of-bounds Write |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.6 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L |
| Date Reported | 2024/05/06 |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | C-V2X 9150, FastConnect 6200, FastConnect 6800, FastConnect 6900, FastConnect 7800, MSM8996AU, QAM8295P, QCA6391, QCA6426, QCA6436, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCA6696, QCA9367, QCA9377, QCN9074, QCS410, QCS610, QCS8550, QSM8250, Qualcomm® Video Collaboration VC1 Platform, Qualcomm® Video Collaboration VC3 Platform, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SA8295P, SA8530P, SA8540P, SA9000P, SD865 5G, SDX55, Snapdragon 4 Gen 1 Mobile Platform, Snapdragon 480 5G Mobile Platform, Snapdragon 480+ 5G Mobile Platform (SM4350-AC), Snapdragon 695 5G Mobile Platform, Snapdragon 820 Automotive Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon X55 5G Modem-RF System, Snapdragon XR2 5G Platform, SXR2130, SXR2230P, SXR2250P, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3660B, WCN3680B, WCN3950, WCN3980, WCN3988, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835 |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel/-/commit/79cc2c960a5a8689e2043905d02dcbd4dd44f4e9<br>" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel/-/commit/79cc2c960a5a8689e2043905d02dcbd4dd44f4e9<br></a><br>                                       </li><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel/-/commit/99bbf28046a4b05b17bf731f0e7a6533cb17ffc7" target="_blank">https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel/-/commit/99bbf28046a4b05b17bf731f0e7a6533cb17ffc7</a><br>                                       </li></ul> |

### CVE-2024-45544

| CVE ID | CVE-2024-45544 |
| --- | --- |
| Title | Use After Free in Data Network Stack & Connectivity |
| Description | Memory corruption while processing IOCTL calls to add route entry in the HW. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.6 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L |
| Date Reported | 2024/05/16 |
| Customer Notified Date | 2024/10/07 |
| Affected Chipsets\* | C-V2X 9150, FastConnect 6800, FastConnect 6900, QCA6391, QCA6426, QCA6436, QCA6574AU, QCA6595AU, QCA6678AQ, QCA6688AQ, QCA6696, QCA6698AQ, QCA9367, QCA9377, QCN9074, SA4150P, SA4155P, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD865 5G, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon W5+ Gen 1 Wearable Platform, Snapdragon X55 5G Modem-RF System, Snapdragon XR2 5G Platform, SW5100, SW5100P, SXR2130, WCD9380, WCN3660B, WCN3680B, WCN3980, WCN3988, WSA8810, WSA8815, WSA8830, WSA8835 |
| Patch\*\* | <ul><li><br>                                             <a class="word-wrap" href="https://git.codelinaro.org/clo/la/kernel/msm-4.19/-/commit/775a7f8f0b3567839328fce0e3fb2dc728c41ce3" target="_blank">https://git.codelinaro.org/clo/la/kernel/msm-4.19/-/commit/775a7f8f0b3567839328fce0e3fb2dc728c41ce3</a><br>                                       </li></ul> |

\* The list of affected chipsets may not be complete.
                For latest information, device OEMs can contact QTI directly at [www.qualcomm.com/support](https://www.qualcomm.com/support).

\*\* Data is generated only at the time of bulletin creation

## Industry Coordination

Security ratings of issues included in Android security
                bulletins and these bulletins match in the most common scenarios but may
                differ in some cases due to one of the following reasons:

- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific
                    scenarios that involves local denial of service or privilege escalation
                    vulnerabilities in the high level OS kernel

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

Qualcomm Technologies, Inc.

San Diego, CA 92121

U.S.A.

© 2022 Qualcomm Technologies, Inc. and/or its subsidiaries. All rights reserved.