The buffer obtained from kernel APIs such as cam_mem_get_cpu_buf() may be readable/writable in userspace after kernel accesses it. In other words, user mode may race and modify the packet header (e.g. header.count), causing checks (e.g. size checks) in kernel code to be invalid. This may lead to out-of-bounds read/write issues.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
qualcomm fastconnect_6800_firmware - |
||
qualcomm fastconnect_6900_firmware - |
||
qualcomm fastconnect_7800_firmware - |
||
qualcomm qca6391_firmware - |
||
qualcomm qca6426_firmware - |
||
qualcomm qca6436_firmware - |
||
qualcomm qcn9074_firmware - |
||
qualcomm qcs410_firmware - |
||
qualcomm qcs610_firmware - |
||
qualcomm sd865_5g_firmware - |
||
qualcomm snapdragon_8_gen_1_firmware - |
||
qualcomm snapdragon_865_5g_firmware - |
||
qualcomm snapdragon_865\\+_5g_firmware - |
||
qualcomm snapdragon_870_5g_firmware - |
||
qualcomm snapdragon_x55_5g_firmware - |
||
qualcomm snapdragon_xr2_5g_firmware - |
||
qualcomm sw5100_firmware - |
||
qualcomm sw5100p_firmware - |
||
qualcomm sxr2130_firmware - |
||
qualcomm wcd9341_firmware - |
||
qualcomm wcd9370_firmware - |
||
qualcomm wcd9380_firmware - |
||
qualcomm wcn3660b_firmware - |
||
qualcomm wcn3680b_firmware - |
||
qualcomm wcn3950_firmware - |
||
qualcomm wcn3980_firmware - |
||
qualcomm wcn3988_firmware - |
||
qualcomm wsa8810_firmware - |
||
qualcomm wsa8815_firmware - |
||
qualcomm wsa8830_firmware - |
||
qualcomm wsa8835_firmware - |
Vulmon