SB2023040336 - Multiple vulnerabilities in Qualcomm chipsets
Published: April 3, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 33 secuirty vulnerabilities.
1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2022-33270)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.
2) Buffer over-read (CVE-ID: CVE-2022-25747)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in MODEM. A remote attacker can read and manipulate data.
3) Buffer over-read (CVE-ID: CVE-2022-33222)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Modem. A remote attacker can read and manipulate data.
4) NULL Pointer Dereference (CVE-ID: CVE-2022-33223)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.
5) Buffer over-read (CVE-ID: CVE-2022-33228)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Modem. A remote attacker can read and manipulate data.
6) Buffer over-read (CVE-ID: CVE-2022-33258)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Modem. A remote attacker can read and manipulate data.
7) Integer overflow (CVE-ID: CVE-2022-33269)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Core. A local application can execute arbitrary code.
8) Integer overflow (CVE-ID: CVE-2022-33282)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Multimedia. A local application can execute arbitrary code.
9) Use of Uninitialized Variable (CVE-ID: CVE-2022-25737)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation in MODEM. A remote attacker can gain access to sensitive information.
10) Buffer over-read (CVE-ID: CVE-2022-33287)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Modem. A remote attacker can read and manipulate data.
11) Buffer over-read (CVE-ID: CVE-2022-33291)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Modem. A remote attacker can read and manipulate data.
12) NULL Pointer Dereference (CVE-ID: CVE-2022-33294)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.
13) Buffer over-read (CVE-ID: CVE-2022-33295)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Modem. A remote attacker can read and manipulate data.
14) Integer overflow (CVE-ID: CVE-2022-40532)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN. A local application can execute arbitrary code.
15) Integer underflow (CVE-ID: CVE-2023-21630)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Multimedia Framework. A local application can execute arbitrary code.
16) NULL Pointer Dereference (CVE-ID: CVE-2022-25739)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in MODEM. A remote attacker can perform a denial of service (DoS) attack.
17) Incorrect Calculation of Buffer Size (CVE-ID: CVE-2022-25731)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation in MODEM. A remote attacker can gain access to sensitive information.
18) Buffer over-read (CVE-ID: CVE-2022-40503)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Bluetooth Host.. A remote attacker can read and manipulate data.
19) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2022-25745)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in MODEM. A remote attacker can execute arbitrary code.
20) Integer overflow (CVE-ID: CVE-2022-33296)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in Modem. A local application can read and manipulate data.
21) Buffer over-read (CVE-ID: CVE-2022-33297)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in Linux Sensors. A local application can read and manipulate data.
22) Use After Free (CVE-ID: CVE-2022-33298)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Modem. A local privileged application can execute arbitrary code.
23) Incorrect Type Conversion or Cast (Type Conversion) (CVE-ID: CVE-2022-33301)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local privileged application can execute arbitrary code.
24) Buffer overflow (CVE-ID: CVE-2022-25678)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in MODEM. A remote attacker can execute arbitrary code.
25) Buffer overflow (CVE-ID: CVE-2022-25740)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in MODEM. A remote attacker can execute arbitrary code.
26) Improper input validation (CVE-ID: CVE-2022-33211)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in MODEM. A remote attacker can execute arbitrary code.
27) Buffer over-read (CVE-ID: CVE-2022-25730)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in MODEM. A remote attacker can read and manipulate data.
28) Double Free (CVE-ID: CVE-2022-33231)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Core. A local application can execute arbitrary code.
29) Buffer overflow (CVE-ID: CVE-2022-33259)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in Modem. A remote attacker can execute arbitrary code.
30) Buffer overflow (CVE-ID: CVE-2022-33288)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Core. A local application can execute arbitrary code.
31) Improper Validation of Array Index (CVE-ID: CVE-2022-33289)
The vulnerability allows a local attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in Modem. A local attacker can execute arbitrary code.
32) Improper Validation of Array Index (CVE-ID: CVE-2022-33302)
The vulnerability allows a local attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in User Identity Module. A local attacker can execute arbitrary code.
33) Buffer over-read (CVE-ID: CVE-2022-25726)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in MODEM. A remote attacker can read and manipulate data.
Remediation
Install update from vendor's website.