The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Memory corruption while processing API calls to NPU with invalid input.

Memory corruption when allocating and accessing an entry in an SMEM partition continuously.

Memory corruption while Configuring the SMR/S2CR register in Bypass mode.

Transient DOS while parsing BTM ML IE when per STA profile is not included.

Transient DOS while decoding attach reject message received by UE, when IEI is set to ESM_IEI.

Memory corruption while performing finish HMAC operation when context is freed by keymaster.

Cryptographic issue while performing attach with a LTE network, a rogue base station can skip the authentication phase and immediately send the Security Mode Command.

Memory corruption while processing finish_sign command to pass a rsp buffer.

Memory corruption in SPS Application while requesting for public key in sorter TA.