The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Information disclosure while parsing the OCI IE with invalid length.

Memory corruption while handling IOCTL call from user-space to set latency level.

Memory corruption while taking a snapshot with hardware encoder due to unvalidated userspace buffer.

Memory corruption while configuring a Hypervisor based input virtual device.

Memory corruption when IOCTL call is invoked from user-space to write board data to WLAN driver.

Memory corruption when IOCTL call is invoked from user-space to read board data.

Memory corruption while invoking IOCTL calls from user space to issue factory test command inside WLAN driver.

Memory corruption when allocating and accessing an entry in an SMEM partition continuously.

Memory corruption while Configuring the SMR/S2CR register in Bypass mode.