Memory corruption while parsing sensor packets in camera driver, user-space variable is used while allocating memory in kernel and parsing which can lead to huge allocation or invalid memory access.

Memory corruption while processing GPU page table switch.

Memory corruption while processing voice packet with arbitrary data received from ADSP.

Memory corruption while handling session errors from firmware.

Transient DOS while processing the CU information from RNR IE.

Memory corruption when the user application modifies the same shared memory asynchronously when kernel is accessing it.

Transient DOS when transmission of management frame sent by host is not successful and error status is received in the host.

Transient DOS while parsing noninheritance IE of Extension element when length of IE is 2 of beacon frame.

Memory corruption when invalid length is provided from HLOS for FRS/UDS request/response buffers.

Transient DOS while parsing the multi-link element Control field when common information length check is missing before updating the location.