Information disclosure while parsing the BSS parameter change count or MLD capabilities fields of the ML IE.

Transient DOS when transmission of management frame sent by host is not successful and error status is received in the host.

Memory corruption while taking snapshot when an offset variable is set by camera driver.

Transient DOS while parsing noninheritance IE of Extension element when length of IE is 2 of beacon frame.

Memory corruption while unmapping the fastrpc map when two threads can free the same map in concurrent scenario.

Memory corruption while sending the persist buffer command packet from the user-space to the kernel space through the IOCTL call.

Memory corruption is possible when an attempt is made from userspace or console to write some haptics effects pattern to the haptics debugfs file.

Memory corruption when invalid length is provided from HLOS for FRS/UDS request/response buffers.

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.

Transient DOS while handling PS event when Program Service name length offset value is set to 255.