CVE-2021-35117: March 2022 Security Bulletin | Qualcomm

Version 1.0****Published: 03/07/2022

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices…

Please reach out to [email protected] for any questions related to this bulletin.

Table of Contents****Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2021-30333, CVE-2021-30331

Peter Park (peterpark)

CVE-2021-35088

Gengjia Chen ( @chengjia4574 )

CVE-2021-35103, CVE-2021-35106, CVE-2021-35117

Gengjia Chen ( @chengjia4574 ) from IceSword Lab

CVE-2021-35105

Man Yue Mo of GitHub Security Lab

CVE-2021-30299

Hang Zhang,Zhiyun Qian from UC Riverside

Proprietary Software Issues****The tables below summarize security vulnerabilities that were addressed through proprietary software

This table lists high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID

Security Rating

CVSS Rating

Technology Area

Date Reported

CVE-2021-1942

Critical

Critical

Core

Internal

CVE-2021-35089

Critical

High

Multimedia

Internal

CVE-2021-35110

Critical

High

Boot

Internal

CVE-2021-1950

High

High

Content Protection

Internal

CVE-2021-30328

High

High

NR5G

Internal

CVE-2021-30329

High

High

NR5G

Internal

CVE-2021-30332

High

High

NR5G

Internal

CVE-2021-30333

High

High

Multi-Mode Call Processor

05/28/2021

CVE-2021-35115

High

High

Multimedia

Internal

This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

Public ID

Security Rating

CVSS Rating

Technology Area

Date Reported

CVE-2021-30331

Medium

Medium

Data Modem

05/09/2021

CVE-2021-1942

CVE ID

CVE-2021-1942

Title

Permissions, Privileges and Access Controls in Core

Description

Improper handling of permissions of a shared memory region can lead to memory corruption

Technology Area

Core

Vulnerability Type

CWE-264 Permissions, Privileges, and Access Controls

Access Vector

Local

Security Rating

Critical

CVSS Rating

Critical

CVSS Score

9.3

CVSS String

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Date Reported

Internal

Customer Notified Date

09/06/2021

Affected Chipsets*

AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, FSM10055, FSM10056, MDM9150, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA8337, QCA9984, QCM2290, QCM4290, QCM6490, QCN9011, QCN9012, QCS2290, QCS405, QCS410, QCS4290, QCS610, QCS6490, QCX315, QRB5165, QRB5165M, QRB5165N, QSM8250, SA4150P, SA4155P, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD 8cx Gen2, SD 8cx Gen3, SD460, SD480, SD662, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD7c, SD855, SD865 5G, SD870, SD888 5G, SDX55, SDX55M, SDX57M, SDXR2 5G, SM6225, SM6250, SM6250P, SM6375, SM7250P, SM7325P, SW5100, SW5100P, SXR2150P, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3991, WCN3998, WCN3999, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

CVE-2021-35089

CVE ID

CVE-2021-35089

Title

Buffer Copy Without Checking Size of Input in Automotive Multimedia

Description

Possible buffer overflow due to lack of input IB amount validation while processing the user command

Technology Area

Multimedia

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)

Access Vector

Local

Security Rating

Critical

CVSS Rating

High

CVSS Score

8.4

CVSS String

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Date Reported

Internal

Customer Notified Date

12/06/2021

Affected Chipsets*

QCA6574AU, QCA6696, SA8155P

CVE-2021-35110

CVE ID

CVE-2021-35110

Title

Incorrect Type Conversion or Cast in Boot

Description

Possible buffer overflow to improper validation of hash segment of file while allocating memory

Technology Area

Boot

Vulnerability Type

CWE-704 Incorrect Type Conversion or Cast

Access Vector

Local

Security Rating

Critical

CVSS Rating

High

CVSS Score

8.1

CVSS String

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Date Reported

Internal

Customer Notified Date

12/06/2021

Affected Chipsets*

SD 8 Gen1 5G, WCD9380, WCN6855, WCN6856, WSA8830, WSA8835

CVE-2021-1950

CVE ID

CVE-2021-1950

Title

Improper Access Control in Content Protection

Description

Improper cleaning of secure memory between authenticated users can lead to face authentication bypass

Technology Area

Content Protection

Vulnerability Type

CWE-284 Improper Access Control

Access Vector

Local

Security Rating

High

CVSS Rating

High

CVSS Score

7.8

CVSS String

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Date Reported

Internal

Customer Notified Date

09/06/2021

Affected Chipsets*

AR8035, CSR8811, IPQ6000, IPQ6005, IPQ6010, IPQ6018, IPQ6028, QCA4024, QCA6390, QCA6391, QCA6426, QCA6436, QCA6574AU, QCA6696, QCA8072, QCA8075, QCA8081, QCA9984, QCM2290, QCM4290, QCM6490, QCN5021, QCN5022, QCN5052, QCN5121, QCN5122, QCN5152, QCN6023, QCN6024, QCN9000, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCS2290, QCS405, QCS4290, QCS610, QCS6490, QSM8250, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SA8540P, SA9000P, SD460, SD480, SD662, SD690 5G, SD750G, SD765, SD765G, SD768G, SD778G, SD865 5G, SD870, SD888 5G, SDX55, SDX55M, SDX57M, SDXR2 5G, SM6225, SM6375, SM7250P, SM7325P, SXR2150P, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3991, WCN3998, WCN3999, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

CVE-2021-30328

CVE ID

CVE-2021-30328

Title

Reachable Assertion in Modem

Description

Possible assertion due to improper validation of invalid NR CSI-IM resource configuration

Technology Area

NR5G

Vulnerability Type

CWE-617 Reachable Assertion

Access Vector

Remote

Security Rating

High

CVSS Rating

High

CVSS Score

7.5

CVSS String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Date Reported

Internal

Customer Notified Date

09/06/2021

Affected Chipsets*

AR8035, QCA6390, QCA6391, QCA6426, QCA6436, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCX315, SA515M, SD 8 Gen1 5G, SD480, SD690 5G, SD750G, SD765, SD765G, SD768G, SD865 5G, SD870, SD888, SDX55, SDX55M, SDX65, SDXR2 5G, SM6375, SM7250P, SM7315, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3988, WCN3991, WCN3998, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

CVE-2021-30329

CVE ID

CVE-2021-30329

Title

Reachable Assertion in Modem

Description

Possible assertion due to improper validation of TCI configuration

Technology Area

NR5G

Vulnerability Type

CWE-617 Reachable Assertion

Access Vector

Remote

Security Rating

High

CVSS Rating

High

CVSS Score

7.5

CVSS String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Date Reported

Internal

Customer Notified Date

09/06/2021

Affected Chipsets*

AR8035, QCA6390, QCA6391, QCA6426, QCA6436, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCM6490, QCS6490, QCX315, SA515M, SD 8 Gen1 5G, SD480, SD690 5G, SD750G, SD765, SD765G, SD768G, SD778G, SD865 5G, SD870, SD888, SD888 5G, SDX55, SDX55M, SDX65, SDXR2 5G, SM6375, SM7250P, SM7315, SM7325P, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3988, WCN3991, WCN3998, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

CVE-2021-30332

CVE ID

CVE-2021-30332

Title

Reachable Assertion in Modem

Description

Possible assertion due to improper validation of OTA configuration

Technology Area

NR5G

Vulnerability Type

CWE-617 Reachable Assertion

Access Vector

Remote

Security Rating

High

CVSS Rating

High

CVSS Score

7.5

CVSS String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Date Reported

Internal

Customer Notified Date

09/06/2021

Affected Chipsets*

AR8035, QCA6390, QCA6391, QCA6426, QCA6436, QCA6574A, QCA6574AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCM6490, QCS6490, QCX315, SA515M, SD 8 Gen1 5G, SD480, SD690 5G, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD865 5G, SD870, SD888, SD888 5G, SDX55, SDX55M, SDX65, SDXR2 5G, SM6375, SM7250P, SM7315, SM7325P, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

CVE-2021-30333

CVE ID

CVE-2021-30333

Title

Buffer Copy Without Checking Size of Input in Modem

Description

Improper validation of buffer size input to the EFS file can lead to memory corruption

Technology Area

Multi-Mode Call Processor

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)

Access Vector

Local

Security Rating

High

CVSS Rating

High

CVSS Score

7.8

CVSS String

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Date Reported

05/28/2021

Customer Notified Date

09/06/2021

Affected Chipsets*

APQ8009W, APQ8017, APQ8053, APQ8096AU, AQT1000, AR8035, CSRB31024, MDM8207, MDM9207, MDM9607, MDM9628, MDM9640, MSM8909W, MSM8953, MSM8996AU, QCA6174A, QCA6390, QCA6391, QCA6420, QCA6426, QCA6430, QCA6436, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9367, QCA9377, QCM2290, QCM4290, QCM6125, QCM6490, QCS2290, QCS410, QCS4290, QCS610, QCS6125, QCS6490, QCX315, QET4101, QSW8573, Qualcomm215, SA415M, SA515M, SD 675, SD 8 Gen1 5G, SD 8cx Gen2, SD205, SD210, SD429, SD439, SD460, SD480, SD660, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD7c, SD850, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDM429W, SDW2500, SDX24, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM6225, SM6250, SM6250P, SM6375, SM7250P, SM7315, SM7325P, SW5100, SW5100P, WCD9306, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

CVE-2021-35115

CVE ID

CVE-2021-35115

Title

Use After Free in Automotive Multimedia

Description

Improper handling of multiple session supported by PVM backend can lead to use after free

Technology Area

Multimedia

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

CVSS Rating

High

CVSS Score

8.4

CVSS String

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Date Reported

Internal

Customer Notified Date

12/06/2021

Affected Chipsets*

APQ8096AU, AR6003, MDM8215, MDM8215M, MDM8615M, MDM9215, MDM9310, MDM9615, MDM9615M, MSM8996AU, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCA6584AU, QCA6696, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SA8540P, SA9000P, SDX55, SDX55M, WCD9341

CVE-2021-30331

CVE ID

CVE-2021-30331

Title

Information Exposure in Data Modem

Description

Possible buffer overflow due to improper data validation of external commands sent via DIAG interface

Technology Area

Data Modem

Vulnerability Type

CWE-200 Information Exposure

Access Vector

Local

Security Rating

Medium

CVSS Rating

Medium

CVSS Score

5.5

CVSS String

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Date Reported

05/09/2021

Customer Notified Date

09/06/2021

Affected Chipsets*

AR8035, FSM10055, FSM10056, MDM9150, MDM9650, QCA6174A, QCA6390, QCA6391, QCA6426, QCA6436, QCA8081, QCA8337, QCA9377, QCM2290, QCM4290, QCM6125, QCM6490, QCS2290, QCS410, QCS4290, QCS610, QCS6125, QCS6490, QCX315, SD 675, SD 8 Gen1 5G, SD460, SD480, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD865 5G, SD870, SD888 5G, SDX55, SDX55M, SDX65, SDXR2 5G, SM6225, SM6250, SM6250P, SM6375, SM7250P, SM7325P, SW5100, SW5100P, WCD9335, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

*The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at www.qualcomm.com/support.

Open Source Software Issues****The tables below summarize security vulnerabilities that were addressed through open source software

This table lists high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID

Security Rating

CVSS Rating

Technology Area

Date Reported

CVE-2021-35088

High

High

WLAN Host Communication

07/29/2021

CVE-2021-35103

High

High

WLAN Host Communication

09/06/2021

CVE-2021-35105

High

High

Graphics

09/09/2021

CVE-2021-35106

High

High

WLAN HOST

09/07/2021

CVE-2021-35117

High

High

WLAN HOST

07/30/2021

This table lists moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

Public ID

Security Rating

CVSS Rating

Technology Area

Date Reported

CVE-2021-30299

Medium

Medium

Audio

02/17/2021

CVE-2021-35088

CVE ID

CVE-2021-35088

Title

Buffer Over-read in WLAN

Description

Possible out of bound read due to improper validation of IE length during SSID IE parse when channel is DFS

Technology Area

WLAN Host Communication

Vulnerability Type

CWE-126 Buffer Over-read

Access Vector

Remote

Security Rating

High

CVSS Rating

High

CVSS Score

8.2

CVSS String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Date Reported

07/29/2021

Customer Notified Date

11/01/2021

Affected Chipsets*

AQT1000, AR8035, AR9380, CSR8811, CSRB31024, FSM10055, FSM10056, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6000, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071, IPQ8071A, IPQ8072, IPQ8072A, IPQ8074, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, PMP8074, QCA4024, QCA6175A, QCA6390, QCA6391, QCA6426, QCA6428, QCA6436, QCA6438, QCA6554A, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA8337, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCM2290, QCM4290, QCM6125, QCM6490, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5064, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN5550, QCN6023, QCN6024, QCN6100, QCN6102, QCN6112, QCN6122, QCN6132, QCN9000, QCN9011, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS2290, QCS4290, QCS6125, QCS6490, QCX315, QRB5165, QRB5165M, QRB5165N, SA4150P, SA4155P, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD 8 Gen1 5G, SD460, SD480, SD660, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM6225, SM6250, SM6375, SM7250P, SM7315, SM7325P, SW5100, SW5100P, WCD9326, WCD9335, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

Patch**

• https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=6196d775c367df4dca39bf5c20546058bd4b6cc6

CVE-2021-35103

CVE ID

CVE-2021-35103

Title

Buffer Copy Without Checking Size of Input in WLAN

Description

Possible out of bound write due to improper validation of number of timer values received from firmware while syncing timers

Technology Area

WLAN Host Communication

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)

Access Vector

Local

Security Rating

High

CVSS Rating

High

CVSS Score

7.8

CVSS String

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Date Reported

09/06/2021

Customer Notified Date

12/06/2021

Affected Chipsets*

AR8035, AR9380, CSR8811, CSRB31024, IPQ4018, IPQ4019, IPQ4028, IPQ4029, IPQ5010, IPQ5018, IPQ5028, IPQ6010, IPQ6018, IPQ6028, IPQ8064, IPQ8065, IPQ8068, IPQ8070, IPQ8070A, IPQ8071A, IPQ8072A, IPQ8074A, IPQ8076, IPQ8076A, IPQ8078, IPQ8078A, IPQ8173, IPQ8174, PMP8074, QCA4024, QCA6390, QCA6391, QCA6426, QCA6436, QCA6554A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA7500, QCA8072, QCA8075, QCA8081, QCA8337, QCA9880, QCA9886, QCA9888, QCA9889, QCA9898, QCA9980, QCA9984, QCA9985, QCA9990, QCA9992, QCA9994, QCM6125, QCM6490, QCN5021, QCN5022, QCN5024, QCN5052, QCN5054, QCN5122, QCN5124, QCN5152, QCN5154, QCN5164, QCN6023, QCN6024, QCN6100, QCN6102, QCN6112, QCN6122, QCN6132, QCN9000, QCN9011, QCN9012, QCN9022, QCN9024, QCN9070, QCN9072, QCN9074, QCN9100, QCS6125, QCS6490, QRB5165, QRB5165M, QRB5165N, SA4150P, SA4155P, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 8 Gen1 5G, SD460, SD480, SD662, SD765, SD765G, SD768G, SD778G, SD780G, SD865 5G, SD870, SD888, SD888 5G, SDX55, SDX55M, SDX65, SDXR2 5G, SM6225, SM6375, SM7250P, SM7315, SM7325P, SW5100, SW5100P, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3950, WCN3980, WCN3988, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

Patch**

• https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=dce054909b432773df3d1c8c4230bad7f12a2b45

CVE-2021-35105

CVE ID

CVE-2021-35105

Title

Incorrect Type Conversion or Cast in Graphics

Description

Possible out of bounds access due to improper input validation during graphics profiling

Technology Area

Graphics

Vulnerability Type

CWE-704 Incorrect Type Conversion or Cast

Access Vector

Local

Security Rating

High

CVSS Rating

High

CVSS Score

8.4

CVSS String

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Date Reported

09/09/2021

Customer Notified Date

12/06/2021

Affected Chipsets*

APQ8009W, APQ8017, APQ8053, APQ8096AU, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, FSM10055, FSM10056, MDM9150, MDM9206, MDM9250, MDM9607, MDM9628, MDM9650, MSM8909W, MSM8953, MSM8996AU, QCA6174A, QCA6390, QCA6391, QCA6426, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584, QCA6584AU, QCA6595AU, QCA6696, QCA8081, QCA8337, QCA9367, QCA9377, QCM2290, QCM4290, QCM6125, QCM6490, QCN9011, QCN9012, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, QCS8155, QCX315, QET4101, QRB5165, QRB5165M, QRB5165N, QSM8250, QSW8573, Qualcomm215, SA4150P, SA4155P, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD 8 Gen1 5G, SD205, SD210, SD429, SD439, SD460, SD480, SD660, SD662, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDA429W, SDM429W, SDW2500, SDX12, SDX20, SDX24, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM6225, SM6250, SM6250P, SM6375, SM7250P, SM7315, SM7325P, SW5100, SW5100P, WCD9326, WCD9330, WCD9335, WCD9340, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3615, WCN3620, WCN3660B, WCN3680B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

Patch**

• https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=c1c8190946b55edf536ec53432ebb94257280a2a
• https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a134f476741492666ac75fd9dc14ed0f9d589d6e

CVE-2021-35106

CVE ID

CVE-2021-35106

Title

Buffer Over-read in WLAN Host

Description

Possible out of bound read due to improper length calculation of WMI message.

Technology Area

WLAN HOST

Vulnerability Type

CWE-126 Buffer Over-read

Access Vector

Local

Security Rating

High

CVSS Rating

High

CVSS Score

7.8

CVSS String

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Date Reported

09/07/2021

Customer Notified Date

12/06/2021

Affected Chipsets*

AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, FSM10055, FSM10056, QCA6175A, QCA6390, QCA6391, QCA6426, QCA6436, QCA6554A, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8081, QCA8337, QCM2290, QCM4290, QCM6125, QCM6490, QCS2290, QCS405, QCS4290, QCS610, QCS6125, QCS6490, QRB5165, QRB5165M, QRB5165N, SA4150P, SA4155P, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD 8 Gen1 5G, SD460, SD480, SD660, SD662, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD780G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM6225, SM6250, SM6375, SM7250P, SM7315, SM7325P, SW5100, SW5100P, WCD9326, WCD9335, WCD9341, WCD9360, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

Patch**

• https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=5f44ff8a5b375fec9361bd460856f5e02b8b7746
• https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=e17be617ae39e9e9520d0bc65d2c4e08c7697267

CVE-2021-35117

CVE ID

CVE-2021-35117

Title

Buffer Over-read in WLAN Host

Description

An Out of Bounds read may potentially occur while processing an IBSS beacon,

Technology Area

WLAN HOST

Vulnerability Type

CWE-126 Buffer Over-read

Access Vector

Remote

Security Rating

High

CVSS Rating

High

CVSS Score

8.2

CVSS String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Date Reported

07/30/2021

Customer Notified Date

12/06/2021

Affected Chipsets*

APQ8096AU, AQT1000, AR8031, AR8035, CSRA6620, CSRA6640, CSRB31024, MSM8996AU, QCA6175A, QCA6390, QCA6391, QCA6426, QCA6436, QCA6554A, QCA6564, QCA6564A, QCA6564AU, QCA6574, QCA6574A, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6696, QCA8081, QCA8337, QCM2290, QCM4290, QCM6125, QCS2290, QCS405, QCS410, QCS4290, QCS610, QCS6125, QCX315, QRB5165, QRB5165M, QRB5165N, SA415M, SA6145P, SA6150P, SA6155, SA6155P, SA8145P, SA8150P, SA8155, SA8155P, SA8195P, SD 675, SD660, SD665, SD675, SD678, SD690 5G, SD720G, SD730, SD750G, SD765, SD765G, SD768G, SD778G, SD855, SD865 5G, SD870, SD888, SD888 5G, SDX55, SDX55M, SDX65, SDXR1, SDXR2 5G, SM6225, SM6250, SM6250P, SM7250P, SM7315, SM7325P, WCD9326, WCD9335, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN3999, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

Patch**

• https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ef0f64fb81401bd7ea71d05f9416c57c3ab7937d

CVE-2021-30299

CVE ID

CVE-2021-30299

Title

Improper Input Validation in Audio

Description

Possible out of bound access in audio module due to lack of validation of user provided input

Technology Area

Audio

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

Medium

CVSS Rating

Medium

CVSS Score

6.7

CVSS String

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Date Reported

02/17/2021

Customer Notified Date

06/07/2021

Affected Chipsets*

APQ8096AU, AR8031, AR8035, CSRA6620, CSRA6640, MDM9150, QCA6390, QCA6391, QCA6426, QCA6436, QCA6564, QCA6564A, QCA6564AU, QCA6574A, QCA6574AU, QCA6696, QCA8337, QCM2290, QCM4290, QCM6125, QCM6490, QCS2290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QCS6490, QRB5165, QRB5165M, QRB5165N, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SD205, SD210, SD480, SD765, SD765G, SD768G, SD780G, SD865 5G, SD870, SD888 5G, SDA429W, SDX55, SDX55M, SDXR2 5G, SM6225, SM6375, SM7250P, WCD9335, WCD9340, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3610, WCN3620, WCN3660B, WCN3910, WCN3950, WCN3980, WCN3988, WCN3990, WCN3991, WCN3998, WCN6740, WCN6750, WCN6850, WCN6851, WCN6855, WCN6856, WSA8810, WSA8815, WSA8830, WSA8835

Patch**

• https://source.codeaurora.org/quic/qsdk/platform/vendor/opensource/audio-kernel/commit/?id=af8f469f179cc2df9aa0aa0d09d3e986072c272a

* The list of affected chipsets may not be complete. For latest information, device OEMs can contact QTI directly at www.qualcomm.com/support.

** Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security
bulletins and these bulletins match in the most common scenarios but may
differ in some cases due to one of the following reasons:

• Consideration of security protections such as SELinux not enforced on some platforms
• Differences in assessment of some specific
  scenarios that involves local denial of service or privilege escalation
  vulnerabilities in the high level OS kernel

Version History

Version

Date

Comments

1.0

March 7, 2022

Bulletin Published

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

Qualcomm Technologies, Inc.
5775 Morehouse Drive
San Diego, CA 92121
U.S.A.
© 2019 Qualcomm Technologies, Inc. and/or its subsidiaries. All rights reserved.