Transient DOS while parsing probe response and assoc response frame.

Information disclosure while parsing the BSS parameter change count or MLD capabilities fields of the ML IE.

Memory corruption while unmapping the fastrpc map when two threads can free the same map in concurrent scenario.

Memory corruption while invoking IOCTL calls for MSM module from the user space during audio playback and record.

Memory corruption when invalid length is provided from HLOS for FRS/UDS request/response buffers.

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.

Memory corruption while processing IOCTL call for getting group info.

Memory corruption when two threads try to map and unmap a single node simultaneously.

Transient DOS while parsing the multi-link element Control field when common information length check is missing before updating the location.

Transient DOS while processing TIM IE from beacon frame as there is no check for IE length.