Stark-L21A 9.0.1.132 (SP52C10E2R1P1) - Russia - Channel - Software Release Notes - Àó +-Á+ - Ú

Release Notes Secret
Product name Confidentiality level
STK-LX1 Secret
Commercial Name
Total 51 pages
Huawei P smart Z
HUAWEI
STK-LX1 9.0.1.132(SP52C10E2R1P1)
Release Notes
Prepared by Saket Anand Date 2019-05-06
Reviewed by Pruthvi J Pallagatti p00268655 Date 2019-05-06
Granted by Abhijith K S a72191 Date 2019-05-06
2022-2-2 All Rights Reserved Page 1 of 106

Huawei Technologies Co., Ltd.
All rights reserved

Revision record
Date Revisi Software version Change Author

on description
Versi
on
1 STK-LX1 9.0.1.18(C10E2R1P1) TA1 SWX598524
2 STK-LX1 9.0.1.105(SP51C10E2R1P1) TA SWX598524
3 STK-LX1 9.0.1.132(SP52C10E2R1P1) MR SWX598524
Contents
1 Improvements.......................................................4
1.1 Fixed issues found by Huawei...................................4
1.2 Fixed issues Found by Operator.................................5

1.3 Fixed /Merged FFR/ VOC/ I care issue...........................5
2 Known Issues.......................................................5
2.1 Fatal / Critical.................................................5
2.2 Serious, Major and Minor.......................................5
3 Software Vulnerabilities Fixes........................................6

STK-LX1 9.0.1.132(SP52C10E2R1P1)
Release Notes
Version information description
This document gives an update on the STK-LX1 Software delivery details carried out by
Huawei team on STK-LX1 handset
current version STK-LX1 9.0.1.132(SP52C10E2R1P1)
Previous version STK-LX1 9.0.1.105(SP51C10E2R1P1)
Android version Android 9
EMUI version EMUI 9.0.1
Baseband version 21C20B388S000C000, 21C20B388S000C000
Kernel version 4.9.111
android@localhost #1 Sat Apr 27 03:50:58
CST 2019
Version type MR
Chipset Hisilicon Kirin 710F

1 Improvements
Bug ID Description
Implemented ARs
1.1 Fixed issues found by Huawei

This table illustrates mainly the issues, found by Huawei internal tests or during parallel
approval processes, which are fixed in this software release. These issues are considered
by Huawei as critical, which have strong impact to the functionality or stability of the
handset, or have negative impact to the end user experience.
Priority
Bug ID Description
Level
DTS2019031405035 Yandex widget in the device is not the updated one
Minor

DTS2019030412105 according to cloud apk sheet HwHiAIDSEngine.apk should not

Minor
present in device, but it is present
DTS2019030111271 In Drawer Mode, Right 1st Screen , AppGalary is missing in

Minor
Homescreen.
DTS2019030504405 The degree of exposure is inconsistent, the number of

Suggestion
feedback accounts for 10%, and the feedback sample
accounts for 1.58%
After the multi-scene photos, the overall brightness is low, the

feedback number accounts for 20%, and the feedback sample
DTS2019030504291
Suggestion accounts for 3.48%.
Photographed after the blue sky scene, the saturation of the

DTS2019030504114
Suggestion blue sky is high, the number of feedback accounts for 30%,
and the feedback sample accounts for 2.53%.
DTS2019030504051 Change the zoom resolution, the noise is large, the feedback is
Suggestion
5%, and the feedback sample is 0.32%.
The rear night mode mode takes pictures of AWB color cast, the
DTS2019030504024
Suggestion number of feedback accounts for 5%, and the feedback sample
accounts for 0.63%.
Pre-self-timer, the overall brightness is low, the proportion of
DTS2019030503456
feedback is 16%, and the feedback sample is 2.65%.
Suggestion
DTS2019030409626
Minor Same scene brightness definition, noise instability

DTS2019022309183
Minor SAR
1.2 Fixed issues Found by Operator

This table lists all the issues fixed in this software build, which were found by the operator
during approval cycles.
Priority
Bug ID Description
Level
NA
1.3 Fixed /Merged FFR/ VOC/ I care issue

This table lists all the FFR/VOC/Icare issues fixed /merged in this software build, which
were identified by FFR team owner to merge in the build.
Defect
Module DTS ID Description
severity
NA
2 Known Issues
2.1 Fatal / Critical

Priority Remarks
Bug ID Level Description
NA

2.2 Serious, Major and Minor

Priority Remarks
Bug ID Level Description
Minor WFC doesn't work

in the flight mode.
According to the
DTS2019041210 new specifications it
911 should work
Minor MTS: short

numbers are not
working in the
VoLTE
DTS2019041210
868
Conference call
DTS201903111 drop in MTS and
2769 Minor Megafon.
After the same scene,
the color performance
is inconsistent, the Related to Camera color performance
feedback is 10%, and suggestion
DTS201903050 the feedback sample
4196 Minor is 1.9%.
DTS20190305 Sugges Pre-self-timer, blue Suggestion for camera

03332 tion sky saturation is saturation.Analysis is being
high, the proportion done
of feedback is 16%,

and the feedback

sample is 1.89%.
Camera edge related issue. Next

Clothes with black version they will regress it.
DTS20190304 Sugges edges in multi-frame
10497 tion synthesis
uggestion for face recongisation

Face recognition
in low light while taking the
failed
DTS20190304 Sugges picture.Analysis is being done
10209 tion for this suggestion
HDR scene HDR screen brightness

brightness is suggestion. Next version they
inconsistent will regress it.
DTS20190304 Sugges
09729 tion
3 Software Vulnerabilities Fixes
[Software Vulnerabilities include Android Vulnerability, Third-party

software Vulnerability, and Huawei Vulnerability]
[Android Vulnerability is from Google, which reported publicly.]
[Third-party software is a type of computer software that is sold

together with or provided for free in Huawei products or solutions with

the ownership of intellectual property rights (IPR) held by the original

contributors. Third-party software can be but is not limited to:
Purchased software, Software that is built in or attached to purchased
hardware, Software in products of the original equipment manufacturer
(OEM) or original design manufacturer (ODM), Software that is developed
with technical contribution from partners (ownership of IPR all or
partially held by the partners), Software that is legally obtained free
of charge.
The data of third-party software vulnerabilities fixes can be exported

from PDM.
If the table is excessively long, you can divide it into multiple ones
by product version, or deliver it in an excel file with patch release
notes and provide reference information in this section.]
[Huawei Vulnerability is Huawei own software’ Vulnerability, which

found by outside]
Vulnerabilities information is available through CVE IDs in NVD

(National Vulnerability Database) website:
http://web.nvd.nist.gov/view/vuln/search
Attention:
1. If the product uses the Qualcomm platform, it also incorporates the vulnerability and
adds the related vulnerability to the Release Notes. Notice: Added to the release notes if
product used Qualcomm platform and have already merged it.
2. If the product uses Broadcom wifi, it also incorporates this vulnerability and then adds
related vulnerabilities to the Release Notes.
Notice: Added to release notes if product used Broadcom wifi and have already merged it.

3. This vulnerability only affects NVIDIA's mediaCode related components;
Only Affected NVIDIA Tegra K1 Dual Denver 64-bit Processor.
4. If the product uses the MediaTek platform, this vulnerability has also been incorporated
and the related vulnerability has been added to the Release Notes.
Notice: Added to release notes if product used MediaTek platform and have already
merged it.
Soft Version CVE Vulnerability Impact

war ID Description Descripti
e/ on
Mo
dule
nam
e
Platf 8.0,8.1 CVE In The fix is

orm - avrc_pars_browsin designed
201 g_cmd of to fix the
7- avrc_pars_tg.cc, bounds
132 there is a possible check.
81 stack buffer
overflow due to an
incorrect bounds
check. This could
lead to remote
code execution
with no additional
execution privileges
needed. User
interaction is not
needed for
exploitation.

Platf 6.0,6.0. CVE In The fix is

orm 1,7.0,7. - CProgramConfig_R designed
1.1,7.1. 201 eadHeightExt of to add
2,8.0,8. 7- tpdec_asc.cpp, bounds
1 132 there is a possible checks to
76 stack buffer prevent
overflow due to a the
missing bounds overflow.
check. This could
lead to a remote
code execution
with no additional
needed. User
interaction is
needed for
exploitation.
Platf 6.0,6.0. CVE In ihevcd_fmt_conv The fix is

orm 1,7.0,7. - of designed
1.1,7.1. 201 ihevcd_fmt_conv.c, to add a
2,8.0,8. 7- there is a possible bounds
1 132 out of bounds write check.
77 due to a missing
bounds check. This
could lead to
remote code
execution with no
additional
needed. User
interaction is
needed for

exploitation.

orm 1,7.1.2, - avrc_ctrl_pars_ven designed
8.0,8.1 201 dor_rsp of to add a
7- avrc_pars_ct.cc, bounds
82 stack buffer
overflow due to a
missing bounds
check. This could
lead to remote
code execution
with no additional
needed. User
interaction is not
needed for
exploitation.

7- bluetooth bounds
132 avrcp_ctrl, there is check.
83 a possible out of
bounds write on
the stack due to a
missing bounds
check. This could
lead to remote
code execution
with no additional

needed. User
interaction is not
needed for
exploitation.

orm 1,7.0,7. - MediaPlayerService designed
1.1,7.1. 201 ::Client::notify of to fix the
2,8.0,8. 7- MediaPlayerService logic in
1 132 .cpp, there is a order to
78 possible use after avoid the
free. This could user
lead to local after
escalation of free.
privilege with no
additional
needed. User
interaction is not
needed for
exploitation.
Platf 6.0,6.0. CVE In config_set_string The fix is

orm 1,7.0,7. - of config.cc, it is designed
1.1,7.1. 201 possible to pair a to
2,8.0,8. 7- second BT validate
1 132 keyboard without the
84 user approval due configura
to improper input tion
validation. This value.
could lead to
remote escalation
of privilege with no
additional

needed. User
interaction is not
needed for
exploitation.
Platf 6.0,6.0. CVE In SvoxSsmlParser The fix is

orm 1,7.0,7. - and startElement of designed
1.1,7.1. 201 svox_ssml_parser.c to
2,8.0,8. 7- pp, there is a initialize
1 132 possible out of the
85 bounds write due buffer.
to an uninitialized
buffer. This could
lead to remote
code execution in
an unprivileged
process with no
additional
needed. User
interaction is not
needed for
exploitation.

orm 1,7.0,7. - avrc_pars_vendor_ designed
1.1,7.1. 201 cmd of to add a
2,8.0,8. 7- avrc_pars_tg.cc, bounds
1 132 there is a possible check.
67 stack corruption
due to a missing
bounds check. This
could lead to

remote escalation
additional
needed. User
interaction is not
needed for
exploitation.
Platf 8.0,8.1 CVE In writeToParcel The fix is

orm - and designed
201 readFromParcel of to fix the
7- OutputConfiguratio parcel
132 n.java, there is a read/writ
86 permission bypass e
due to mismatched mismatc
serialization. This h.
could lead to a local
escalation of
privilege where the
user can start an
activity with system
privileges, with no
additional
needed. User
interaction is not
needed for
exploitation.

orm 1,7.0,7. - M3UParser::parse designed
1.1,7.1. 201 of M3UParser.cpp, to detect
2,8.0,8. 7- there is a memory variant

1 132 resource streams

79 exhaustion due to a without
large loop of EXT-X-
pushing items into STREAM-
a vector. This could INF in
lead to remote order to
denial of service prevent
with no additional the loop.
needed. User
interaction is
needed for
exploitation.
Platf 6.0,6.0. CVE In the The fix is

orm 1,7.0,7. - FrameSequence_gif designed
1.1,7.1. 201 ::FrameSequence_g to add a
2,8.0,8. 7- if function of bounds
1 132 libframesequence, check.
80 there is a out of
bounds read due to
a missing bounds
check. This could
lead to a remote
denial of service
with no additional
needed. User
interaction is not
needed for
exploitation.
Platf 6.0.1,7. CVE In The fix is

orm 0,7.1.1, - createFromParcel designed

7.1.2,8. 201 of to fix the

0,8.1 7- VerifyCredentialRes read/writ
132 ponse.java, there is e
87 a possible invalid mismatc
parcel read due to h.
improper input
validation. This
could lead to local
escalation of
privilege if
mPayload in
writeToParcel were
null, with no
additional
needed. User
interaction is not
needed for
exploitation.

orm - and designed
7- PeriodicAdvertising read/writ
132 Report.java, there e
88 is a permission mismatc
bypass due to a h.
64/32bit int
mismatch. This
escalation of
privilege where the
user can start an

privileges, with no
additional
needed. User
interaction is not
needed for
exploitation.
Platf 6.0,6.0. CVE In the getHost() The fix is

orm 1,7.0,7. - function of designed
1.1,7.1. 201 UriTest.java, there to
2,8.0,8. 7- is the possibility of correct
1 132 incorrect web the
74 origin handling
determination. This of
could lead to backslash
incorrect security character
decisions with no s in URIs.
additional
needed. User
interaction is not
needed for
exploitation.
Platf 8.0,8.1 CVE In getVSCoverage The fix is

orm - of designed
201 CmapCoverage.cpp, to fix the
7- there is a possible bounds
132 out of bounds read check
75 due to an incorrect and
bounds check. This avoid
could lead to local integer
information overflow.

disclosure with no
additional
privileges needed.
User interaction is
needed for
exploitation.
Platf 6.0,6.0. CVE In writeToParcel The fix is

orm 1,7.0,7. - and designed
1.1,7.1. 201 createFromParcel to fix the
2,8.0,8. 7- of RttManager.java, read/writ
1 132 there is a e
89 permission bypass mismatc
due to a write size h.
mismatch. This
escalation of
privileges where
the user can start
an activity with
system privileges,
with no additional
needed. User
interaction is not
needed for
exploitation.

orm 1,7.0,7. - sdp_server_handle designed
1.1,7.1. 201 _client_req of to add
2,8.0,8. 7- sdp_server.cc, bounds
1 132 there is an out of checks.
90 bounds read due to

a missing bounds
check. This could
lead to local
information
disclosure with no
additional
needed. User
interaction is not
needed for
exploitation.

8.0,8.1 201 dor_rsp of to add
132 there is a possible checks.
91 NULL pointer
dereference due to
missing bounds
checks. This could
lead to remote
denial of service
with no additional
needed. User
interaction is not
needed for
exploitation.
Bro NA CVE In wl_get_assoc_ies The fix is

adc - of wl_cfg80211.c, designed
om 201 there is a possible to add
com 7- out of bounds write appropri

pon 132 due to an incorrect ate

ents 92 bounds check. This bounds
could lead to checks to
remote code avoid the
execution with no out of
additional bound
execution privileges writes.
needed. User
interaction is not
needed for
exploitation.
Ker NA CVE Speculative The fix is

nel - execution reading designed
201 inaccessible to
7- memory could unmap
575 cause measurable kernel
4 changes in the memory
cache state, while
allowing an running
attacker to use in user
timing checks to mode.
determine the
content of kernel
memory.
Ker NA CVE In The fix is

nel - cdc_parse_cdc_hea designed
201 der of message.c, to add
7- there is a possible several
165 out of bounds read bounds
3 due to a missing checks.
bounds check. This
could lead to local

information
disclosure with no
additional
needed. User
interaction is not
needed for
exploitation.
Ker NA CVE In the The fix is

nel - nfc_hci_cmd_receiv designed
201 ed() function of to check
7- core.c, there is a the check
132 possible out of the size
93 bounds write due of the
to a missing bounds incoming
check. This could data
lead to local buffer.
escalation of
privilege in the
kernel with no
additional
needed. User
interaction is not
needed for
exploitation.
Qua NA CVE In The fix is

lco - __wlan_hdd_cfg80 designed
mm 201 211_add_key of to
com 7- wlan_hdd_cfg8021 propagat
pon 130 1.c, there is a e the key
ents 77 remote bypass of sequence

user interaction counter

requirements due to SME.
to improperly used
crypto. This could
lead to remote
bypass of user
interaction
requirements with
no additional
needed. User
interaction is not
needed for
exploitation.

lco - binder_transaction designed
mm 201 of binder.c, there is to
com 7- memory corruption dequeue
pon 177 due to a use after a node
ents 70 free. This could before
lead to local freeing
escalation of it.
privilege with no
additional
needed. User
interaction is not
needed for
exploitation.

lco - ProcSetReqInternal designed
mm 201 of cfgProcMsg.c, to

com 8- there is a possible validate

pon 356 out of bounds write a length
ents 6 due to a missing variable
bounds check. This to ensure
could lead to local it does
escalation of not
privilege with no exceed
additional CFG_MA
execution privileges X_STR_L
needed. User EN.
interaction is not
needed for
exploitation.
Qua NA CVE In apr_cb_func of The fix is

lco - apr.c and designed
mm 201 apr_vm_cb_proces to add
com 8- s_evt of apr_vm.c, appropri
pon 356 there is a possible ate
ents 3 arbitrary code bounds
execution due to a checks
missing bounds on the
check. This could APR port
lead to local received
escalation of from the
privilege with no ADSP.
additional
needed. User
interaction is not
needed for
exploitation.

lco - wma_process_rmf_ designed

mm 201 frame of to add
com 7- wma_mgmt.c, sanity
pon 158 there is a possible check to
ents 22 Out Of Bounds drop the
Write due to a packet if
missing bounds mpdu_da
check. This could ta_len is
lead to remote greater
code execution than
with no additional 2000
execution privileges bytes
needed. User
interaction is not
needed for
exploitation.
Qua NA CVE
lco -
mm 201
clos 7-
ed- 180
sour 71
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 827
sour 4

ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 46
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 28
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 8-
ed- 359
sour 2
ce
com

pon
ents
Qua NA CVE
lco -
mm 201
clos 8-
ed- 359
sour 1
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 180
sour 74
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 180
sour 73
ce
com
pon

ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 25
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 827
sour 5
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 110
sour 11
ce
com
pon
ents

Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 37
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 34
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 36
ce
com
pon
ents
Qua NA CVE
lco -

mm 201
clos 7-
ed- 181
sour 40
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 35
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 42
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-

ed- 181
sour 38
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 39
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 29
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour

ce 32
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 33
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 180
sour 72
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 26
ce
com

pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 44
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 45
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 47
ce
com
pon

ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 30
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 43
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 27
ce
com
pon
ents

Qua NA CVE
lco -
mm 201
clos 8-
ed- 359
sour 0
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 8-
ed- 359
sour 3
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 8-
ed- 358
sour 9
ce
com
pon
ents
Qua NA CVE
lco -

mm 201
clos 8-
ed- 359
sour 4
ce
com
pon
ents

orm 1,7.0,7. - handleAttachment designed
1.1,7.1. 201 UrisFromIntent() to
2,8.0,8. 7- function of prevent
1 132 ComposeActivity.ja Compose
94 va, there is a from
confused deputy accepting
that can be used to URIs with
compose an email bad
with a file attachme
attachment from nt paths.
another message.
This could lead to
local information
disclosure of local
files with no
additional
needed. User
interaction is
needed for
exploitation.



2,8.0,8. 7- function of validate
1 132 ComposeActivity.ja applicati
95 va, there is a on label
possible denial of strings.
service due to
improper input
validation. This
could lead to local
denial of service by
preventing the
uninstallation of a
malicious
application with no
additional
needed. User
interaction is not
needed for
exploitation.
Platf 6.0,6.0. CVE In ihevcd_decode The fix is

orm 1 - of ihevcd_decode.c designed
201 there is a possible to move
7- resource the
133 exhaustion due to update
00 an infinite loop. of sps_id
This could lead to a in
denial of service ps_codec
with no additional to the
execution privileges end of
needed. User the
interaction is function
needed for to ensure

exploitation. sps is
complete
ly parsed
to avoid
the
infinite
loop.

orm 1,7.0,7. - ih264d_mv_pred_r designed
1.1,7.1. 201 ef_tfr_nby2_pmb() to
2,8.0,8. 7- of prevent
1 132 ih264d_parse_slice, an out of
96 there is an out of bound
bound read due to read.
a missing bounds
check. This could
lead to a remote
denial of service
with no additional
needed. User
interaction is
needed for
exploitation.

orm 1,7.0,7. - ihevcd_parse_slice designed
1.1,7.1. 201 _header of libhevc, to add a
1 132 out of bounds read check.
97 due to a missing
bounds check. This
could lead to

remote denial of
service with no
additional
needed. User
interaction is
needed for
exploitation.
Platf 6.0,6.0. CVE In FindNAL of The fix is

orm 1,7.0,7. - avc_utils.cpp there designed
1.1,7.1. 201 is a possible out of to add a
2,8.0,8. 7- bounds read due to bounds
1 132 a missing bounds check.
98 check. This could
lead to remote
denial of service
with no additional
needed. User
interaction is
needed for
exploitation.

orm 1,7.0,7. - ih264d_form_scalin designed
1.1,7.1. 201 g_matrix_picture of to avoid
2,8.0,8. 7- ih264d_parse_slice. NULL
1 132 c, there is a null pointer
99 pointer derefere
dereference due to nce.
a missing
initialization. This
could lead to a

remote denial of
service with no
additional
needed. User
interaction is
needed for
exploitation.
Platf 8.0 CVE In the system UI, The fix is

orm - there is a possible designed
201 crash if an to
7- "android:drawable" change
133 in an adaptive icon the stack
01 refers to itself. This overflow
could lead to a local exceptio
permanent denial n to
of service, with no prevent
additional the
execution privileges crash.
needed. User
interaction is not
required for
exploitation.
Platf 8.0 CVE In The fix is

orm - updateLayerBounds designed
201 of to not
7- AdaptiveIconDrawa update
133 ble.java, there is a layer
02 possible infinite bounds if
loop due to the
improper input bounds
validation. This are

could result in a empty,

local permanent preventi
denial of service, ng the
with no additional crash
execution privileges and
needed. User denial of
interaction is not service.
required for
exploitation.
Bro NA CVE In The fix is

adc - wl_cfgvendor_priv_ designed
om 201 string_handler of to
com 7- wl_cfgvendor.c, remove
pon 133 there is a possible the
ents 03 out of bounds read wl_cfgve
due to an incorrect ndor_pri
bounds check. This v_string_
could lead to local handler
information function.
disclosure with
System execution
privileges needed.
User interaction is
not needed for
exploitation.

nel - mnh_mipi_gen3_h designed
201 ost of mnh-mipi.c, to add
7- there is an out of bounds
133 bounds read due to checks to
04 an incorrect avoid the
bounds check. This out of

could lead to a local bound

information read.
disclosure with
System execution
privileges needed.
User interaction is
not needed for
exploitation.

nel - valid_master_desc designed
201 of encrypted.c, to add
05 missing bounds avoid the
check. This could out of
lead to a local bound
information read.
disclosure with
System execution
privileges needed.
User interaction is
not needed for
exploitation.

nel - __netlink_deliver_t designed
201 ap_skb of to filter
7- af_netlink.c, it is the
174 possible to sniff traffic so
49 Netlink activity that
across net nlmon
namespaces due to can only
a missing sniff

permission check. netlink

This could lead to message
local information s from its
disclosure with own
System execution netns.
privileges needed.
User interaction is
not needed for
exploitation.

nel - mnh_ion_create_b designed
201 uffer of mnh-sm- to add
7- ion.c, there is a use range
133 after free due to and size
06 improper locking. checks
This could lead to and fix
escalation of the
privilege with locking.
System execution
privileges needed.
User interaction is
not needed for
exploitation.

nel - driver_override_sto designed
201 re of pci-sysfs.c, to add
7- there is a possible locking
133 double free due to to avoid
07 a race condition. the race
This could lead to condition
local escalation of .
privilege with

System execution
privileges needed.
User interaction is
not needed for
exploitation.
Ker NA CVE In raw_sendmsg of The fix is

nel - raw.c, there is a designed
201 possible to only
7- uninitialized stack read
177 pointer usage due inet-
12 to a race condition. >hdrincl
This could lead to once in
local escalation of order to
privilege with avoid the
System execution race.
privileges needed.
User interaction is
not needed for
exploitation.
Ker NA CVE In sctp_do_peeloff The fix is

nel - of socket.c, there is designed
201 a possible to fix the
7- escalation of race
151 privilege due to a condition
15 use after free. This by not
could lead to local peeling
escalation of off from
privilege with one
System execution netns to
privileges needed. another
User interaction is one.
not needed for

exploitation.

lco - msm_ispif_get_pac designed
mm 201 k_mask_from_cfg to add
com 8- of bounds
pon 359 drivers/media/platf check.
ents 8 orm/msm/camera_
v2/ispif/msm_ispif.
c, there is a
possible out of
bounds read due to
a missing bounds
check. This could
lead to local
information
disclosure with
System execution
privileges needed.
User interaction is
not needed for
exploitation.

lco - hdd_debugfs_stats designed
mm 201 _update of to proper
com 8- drivers/staging/qca locking
pon 582 cld-3.0/core/hdd/sr to avoid
ents 6 c/wlan_hdd_debug race
fs_llstat.c, there is condition
an out of bounds s.
read due to a race
condition between
reading and

releasing the
debug_fs file
resource. This
could lead to
information
disclosure.

lco - ptt_sock_send_msg designed
mm 201 _to_app of file to add
com 7- qcacld-2.0/CORE/S bounds
pon 158 VC/src/ptt/wlan_p check.
ents 53 tt_sock_svc.c there
is a out of bounds
read due to missing
bounds check. This
could lead to
information
disclosure with
System execution
privilege. User
interaction is not
needed.

lco - rmnet_usb_ctrl_init designed
mm 201 of to not
com 8- drivers/net/usb/rm referenc
pon 358 net_usb_data.c e the
ents 4 there is a use after buffer if
free. This could it’s freed.
lead to information
disclosure with
system execution

privilege. User
interaction is not
needed.
Qua NA CVE In ipa3_wwan_ioctl The fix is

lco - of designed
mm 201 msm/drivers/platfo to add a
com 7- rm/msm/ipa/ipa_v bounds
pon 826 2/rmnet_ipa.c check.
ents 9 there is a out of
bound read due to
missing bounds
check. This could
lead to information
disclosure with
System execution
privilege. User
interaction is not
needed.

lco - nl80211_set_wowl designed
mm 201 an of to add
com 7- net/wireless/nl802 validatio
pon 158 11.c there is an out n policies
ents 37 of bounds read due to avoid
to improper the out
bounds check. This of
could lead to bounds
information read.
disclosure with
system execution
privilege. User
interaction is not

needed.

lco - wma_extscan_hotli designed
mm 201 st_match_event_ha to add a
com 8- ndler of bounds
pon 582 core/wma/src/wma check.
ents 3 _scan_roam.c,
there is a possible
OOB write due to a
missing bounds
check. This could
lead to local
escalation of
privilege with no
additional
needed. User
interaction is not
needed for
exploitation.
Qua NA CVE In __ipa_del_hdr of The fix is

lco - drivers/platform/m designed
mm 201 sm/ipa/ipa_hdr.c, to add
com 8- there is a possible proper
pon 582 arbitrary local code validatio
ents 5 execution due to a ns to
use after free. This avoid use
could lead to local after
escalation of free.
privilege with
System execution
privileges needed.

User interaction is
not needed for
exploitation.

lco - ol_rx_frag_indicati designed
mm 201 on_handler of to add a
com 8- CORE/CLD_TXRX/H bounds
pon 582 TT/htt_t2h.c, there check.
ents 4 is a possible OOB
write due to an
unusual root cause.
This could lead to
local escalation of
privilege with no
additional
needed. User
interaction is not
needed for
exploitation.

mm 201 st_match_event_ha to add
com 8- ndler of proper
pon 582 wma_scan_roam.c, bounds
ents 7 there is a possible checking.
out of bounds write
due to an incorrect
bounds check. This
could lead to local
escalation of
privilege with

System execution
privileges needed.
User interaction is
not needed for
exploitation.

lco - wma_sap_ofl_add_ designed
mm 201 sta_handler of QC to add a
com 8- WLAN driver, there bounds
pon 582 is a possible OOB check to
ents 2 write due to a sta_add_
missing bounds event-
check. This could >data_le
lead to local n to
escalation of avoid the
privilege if the OOB
WLAN firmware is write.
compromised.

lco - wma_wow_wakeu designed
mm 201 p_host_event of to add
com 8- wma.c, there is a sanity
pon 582 possible out of check to
ents 1 bound write due to make
a missing bounds sure
check. This could vdev_id
lead to an elevation is less
of privilege with than
system privileges max_bssi
needed. User d before
interaction is not using it
needed for in

exploitation. wma_wo
w_wakeu
p_host_e
vent.

lco - wma_tbttoffset_up designed
mm 201 date_event_handle to add
com 8- r of wma.c, there is sanity
pon 582 a possible out of checks to
an integer sure
overflow. This param_b
could lead to local uf-
escalation of >num_tb
privilege with no ttoffset_l
additional ist does
execution privileges not
needed. User exceed
interaction is not the value
needed for of the
exploitation. buffer.

lco - diag_dci_notify_clie designed
mm 201 nt of to add
com 8- drivers/char/diag/d the
pon 359 iag_dci.c, there is a validatio
ents 9 UAF issue due to n of dci
missing validation client's
of dci client's process
process descriptor. descripto
This could lead to r before
UAF and causing issuing a

EoP. signal to
it.

lco - iw_softap_commit designed
mm 201 of to
com 8- drivers/staging/pri remove
pon 359 ma/CORE/HDD/src/ the
ents 6 wlan_hdd_hostapd. entire
c there is a out of function
bounds write due as it’s
to missing bounds not being
check. This could used.
lead to local
escalation of
privilege with
system execution
privilege. User
interaction is not
needed.
Qua NA CVE In process_tx_info The fix is

lco - of designed
mm 201 core/utils/pktlog/p to add
com 8- ktlog_internal.c, input size
pon 356 there is a possible check
ents 8 out of bounds write and limit
due to a missing the size
bounds check. This in
could lead to local memory
escalation of copy
privilege with no operatio
additional n.

needed. User
interaction is not
needed for
exploitation.

lco - htt_t2h_lp_msg_ha designed
mm 201 ndler of to add a
com 8- core/dp/htt/htt_t2 bounds
pon 356 h.c, there is a check.
ents 7 possible OOB write
due to a missing
bounds check. This
could lead to local
escalation of
privilege with no
additional
needed. User
interaction is not
needed for
exploitation.

lco - wma_extscan_rsp_ designed
mm 201 handler of wma.c, to add a
com 8- there is a possible bounds
pon 582 out of bounds write check.
ents 8 due to a missing
bounds check on
event->vdev_id.
This could lead to
local escalation of
privilege with

System execution
privileges needed.
User interaction is
not needed for
exploitation.

lco - wma_populate_soc designed
mm 201 _caps of to add
com 7- wma_main.c, there bounds
pon 158 is a possible out of checks to
ents 36 bounds write due both
to an integer variables.
overflow caused by
too big value of
num_hw_modes or
num_phy. This
could lead to local
escalation of
privilege with
System execution
privileges required.
User interaction is
not needed for
exploitation.

lco - wma_unified_link_i designed
mm 201 face_stats_event_h to add
com 7- andler of bounds
pon 158 wma_utils.c, there checks.
ents 32 is a possible out of
bounds write due
to a missing bounds

check. This could

lead to local
escalation of
privilege with
System execution
User interaction is
not needed for
exploitation.

lco - wma_beacon_swba designed
mm 201 _handler of to fix the
com 7- wma_mgmt.c, bounds
pon 148 there is a possible checks in
ents 90 out of bounds write the for
if firmware sends a loop that
message with causes
invalid vdev_map the out
value. This could of
lead to local bounds
escalation of write.
privilege with
System execution
User interaction is
not needed for
exploitation.

lco - wma_vdev_start_r designed
mm 201 esp_handler of to add a
com 7- wma_dev_if.c, bounds
pon 148 there is a possible check.

ents 94 out of bounds write

if firmware sends a
response with too
big resp_event-
>vdev_id. This
could lead to local
escalation of
privilege with
System execution
User interaction is
not needed for
exploitation.
Qua NA CVE In multiple The fix is

lco - functions of designed
mm 201 rmnet_ipa.c, there to add
com 7- is a possible race locking.
pon 148 condition due to
ents 80 insufficient locking.
This could lead to
local escalation of
privilege with
System execution
User interaction is
not needed for
exploitation.

lco - wdsp_glink_open designed
mm 201 of wcd-dsp-glink.c, to set
com 7- there is a possible wpriv-
pon 110 use after free due >glink_st

ents 75 to a race condition. ate.link_s

This could lead to tate to
local escalation of prevent
privilege with the race
System execution condition
privileges required. .
User interaction is
not needed for
exploitation.
Soft Version CVE Vulnerability Impact

war ID Description Descripti
e/ on
Mo
dule
nam
e
Platf 8.0,8.1 CVE In The fix is

orm - avrc_pars_browsin designed
201 g_cmd of to fix the
7- avrc_pars_tg.cc, bounds
81 stack buffer
overflow due to an
incorrect bounds
check. This could
lead to remote
code execution
with no additional
needed. User
interaction is not
needed for

exploitation.

orm 1,7.0,7. - CProgramConfig_R designed
1.1,7.1. 201 eadHeightExt of to add
2,8.0,8. 7- tpdec_asc.cpp, bounds
1 132 there is a possible checks to
76 stack buffer prevent
overflow due to a the
missing bounds overflow.
check. This could
lead to a remote
code execution
with no additional
needed. User
interaction is
needed for
exploitation.
Platf 6.0,6.0. CVE In ihevcd_fmt_conv The fix is

orm 1,7.0,7. - of designed
1.1,7.1. 201 ihevcd_fmt_conv.c, to add a
1 132 out of bounds write check.
77 due to a missing
bounds check. This
could lead to
remote code
execution with no
additional
needed. User
interaction is

needed for
exploitation.

82 stack buffer
overflow due to a
missing bounds
check. This could
lead to remote
code execution
with no additional
needed. User
interaction is not
needed for
exploitation.

7- bluetooth bounds
132 avrcp_ctrl, there is check.
83 a possible out of
bounds write on
the stack due to a
missing bounds
check. This could
lead to remote
code execution
with no additional

needed. User
interaction is not
needed for
exploitation.

orm 1,7.0,7. - MediaPlayerService designed
1.1,7.1. 201 ::Client::notify of to fix the
2,8.0,8. 7- MediaPlayerService logic in
1 132 .cpp, there is a order to
78 possible use after avoid the
free. This could user
lead to local after
escalation of free.
privilege with no
additional
needed. User
interaction is not
needed for
exploitation.
Platf 6.0,6.0. CVE In config_set_string The fix is

orm 1,7.0,7. - of config.cc, it is designed
1.1,7.1. 201 possible to pair a to
2,8.0,8. 7- second BT validate
1 132 keyboard without the
84 user approval due configura
to improper input tion
validation. This value.
could lead to
remote escalation

additional
needed. User
interaction is not
needed for
exploitation.
Platf 6.0,6.0. CVE In SvoxSsmlParser The fix is

orm 1,7.0,7. - and startElement of designed
1.1,7.1. 201 svox_ssml_parser.c to
2,8.0,8. 7- pp, there is a initialize
1 132 possible out of the
85 bounds write due buffer.
to an uninitialized
buffer. This could
lead to remote
code execution in
an unprivileged
process with no
additional
needed. User
interaction is not
needed for
exploitation.

orm 1,7.0,7. - avrc_pars_vendor_ designed
1.1,7.1. 201 cmd of to add a
2,8.0,8. 7- avrc_pars_tg.cc, bounds
1 132 there is a possible check.
67 stack corruption
due to a missing
bounds check. This

could lead to
remote escalation
additional
needed. User
interaction is not
needed for
exploitation.

orm - and designed
7- OutputConfiguratio parcel
132 n.java, there is a read/writ
86 permission bypass e
due to mismatched mismatc
serialization. This h.
escalation of
privilege where the
user can start an
privileges, with no
additional
needed. User
interaction is not
needed for
exploitation.

orm 1,7.0,7. - M3UParser::parse designed
1.1,7.1. 201 of M3UParser.cpp, to detect

2,8.0,8. 7- there is a memory variant

1 132 resource streams
79 exhaustion due to a without
large loop of EXT-X-
pushing items into STREAM-
a vector. This could INF in
lead to remote order to
denial of service prevent
with no additional the loop.
needed. User
interaction is
needed for
exploitation.

orm 1,7.0,7. - FrameSequence_gif designed
1.1,7.1. 201 ::FrameSequence_g to add a
2,8.0,8. 7- if function of bounds
1 132 libframesequence, check.
80 there is a out of
bounds read due to
a missing bounds
check. This could
lead to a remote
denial of service
with no additional
needed. User
interaction is not
needed for
exploitation.
Platf 6.0.1,7. CVE In The fix is

orm 0,7.1.1, - createFromParcel designed

7.1.2,8. 201 of to fix the
0,8.1 7- VerifyCredentialRes read/writ
132 ponse.java, there is e
87 a possible invalid mismatc
parcel read due to h.
improper input
validation. This
could lead to local
escalation of
privilege if
mPayload in
writeToParcel were
null, with no
additional
needed. User
interaction is not
needed for
exploitation.

orm - and designed
7- PeriodicAdvertising read/writ
132 Report.java, there e
88 is a permission mismatc
bypass due to a h.
64/32bit int
mismatch. This
escalation of
privilege where the
user can start an


privileges, with no
additional
needed. User
interaction is not
needed for
exploitation.
Platf 6.0,6.0. CVE In the getHost() The fix is

orm 1,7.0,7. - function of designed
1.1,7.1. 201 UriTest.java, there to
2,8.0,8. 7- is the possibility of correct
1 132 incorrect web the
74 origin handling
determination. This of
could lead to backslash
incorrect security character
decisions with no s in URIs.
additional
needed. User
interaction is not
needed for
exploitation.
Platf 8.0,8.1 CVE In getVSCoverage The fix is

orm - of designed
201 CmapCoverage.cpp, to fix the
7- there is a possible bounds
132 out of bounds read check
75 due to an incorrect and
bounds check. This avoid
could lead to local integer

information overflow.
disclosure with no
additional
privileges needed.
User interaction is
needed for
exploitation.
Platf 6.0,6.0. CVE In writeToParcel The fix is

orm 1,7.0,7. - and designed
1.1,7.1. 201 createFromParcel to fix the
2,8.0,8. 7- of RttManager.java, read/writ
1 132 there is a e
89 permission bypass mismatc
due to a write size h.
mismatch. This
escalation of
privileges where
the user can start
an activity with
system privileges,
with no additional
needed. User
interaction is not
needed for
exploitation.

orm 1,7.0,7. - sdp_server_handle designed
1.1,7.1. 201 _client_req of to add
2,8.0,8. 7- sdp_server.cc, bounds
1 132 there is an out of checks.

90 bounds read due to

a missing bounds
check. This could
lead to local
information
disclosure with no
additional
needed. User
interaction is not
needed for
exploitation.

8.0,8.1 201 dor_rsp of to add
132 there is a possible checks.
91 NULL pointer
dereference due to
missing bounds
checks. This could
lead to remote
denial of service
with no additional
needed. User
interaction is not
needed for
exploitation.
Bro NA CVE In wl_get_assoc_ies The fix is

adc - of wl_cfg80211.c, designed
om 201 there is a possible to add

com 7- out of bounds write appropri

pon 132 due to an incorrect ate
ents 92 bounds check. This bounds
could lead to checks to
remote code avoid the
execution with no out of
additional bound
execution privileges writes.
needed. User
interaction is not
needed for
exploitation.
Ker NA CVE Speculative The fix is

nel - execution reading designed
201 inaccessible to
7- memory could unmap
575 cause measurable kernel
4 changes in the memory
cache state, while
allowing an running
attacker to use in user
timing checks to mode.
determine the
content of kernel
memory.

nel - cdc_parse_cdc_hea designed
201 der of message.c, to add
7- there is a possible several
165 out of bounds read bounds
3 due to a missing checks.
bounds check. This

could lead to local

information
disclosure with no
additional
needed. User
interaction is not
needed for
exploitation.
Ker NA CVE In the The fix is

nel - nfc_hci_cmd_receiv designed
201 ed() function of to check
7- core.c, there is a the check
132 possible out of the size
93 bounds write due of the
to a missing bounds incoming
check. This could data
lead to local buffer.
escalation of
privilege in the
kernel with no
additional
needed. User
interaction is not
needed for
exploitation.

lco - __wlan_hdd_cfg80 designed
mm 201 211_add_key of to
com 7- wlan_hdd_cfg8021 propagat
pon 130 1.c, there is a e the key

ents 77 remote bypass of sequence

user interaction counter
requirements due to SME.
to improperly used
crypto. This could
lead to remote
bypass of user
interaction
requirements with
no additional
needed. User
interaction is not
needed for
exploitation.

lco - binder_transaction designed
mm 201 of binder.c, there is to
com 7- memory corruption dequeue
pon 177 due to a use after a node
ents 70 free. This could before
lead to local freeing
escalation of it.
privilege with no
additional
needed. User
interaction is not
needed for
exploitation.

lco - ProcSetReqInternal designed

mm 201 of cfgProcMsg.c, to
com 8- there is a possible validate
pon 356 out of bounds write a length
ents 6 due to a missing variable
bounds check. This to ensure
could lead to local it does
escalation of not
privilege with no exceed
additional CFG_MA
execution privileges X_STR_L
needed. User EN.
interaction is not
needed for
exploitation.
Qua NA CVE In apr_cb_func of The fix is

lco - apr.c and designed
mm 201 apr_vm_cb_proces to add
com 8- s_evt of apr_vm.c, appropri
pon 356 there is a possible ate
ents 3 arbitrary code bounds
execution due to a checks
missing bounds on the
check. This could APR port
lead to local received
escalation of from the
privilege with no ADSP.
additional
needed. User
interaction is not
needed for
exploitation.


lco - wma_process_rmf_ designed
mm 201 frame of to add
com 7- wma_mgmt.c, sanity
pon 158 there is a possible check to
ents 22 Out Of Bounds drop the
Write due to a packet if
missing bounds mpdu_da
check. This could ta_len is
lead to remote greater
code execution than
with no additional 2000
execution privileges bytes
needed. User
interaction is not
needed for
exploitation.
Qua NA CVE
lco -
mm 201
clos 7-
ed- 180
sour 71
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 827

sour 4
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 46
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 28
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 8-
ed- 359
sour 2
ce

com
pon
ents
Qua NA CVE
lco -
mm 201
clos 8-
ed- 359
sour 1
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 180
sour 74
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 180
sour 73
ce
com
pon

ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 25
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 827
sour 5
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 110
sour 11
ce
com
pon
ents

Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 37
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 34
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 36
ce
com
pon
ents
Qua NA CVE
lco -

mm 201
clos 7-
ed- 181
sour 40
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 35
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 42
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-

ed- 181
sour 38
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 39
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 29
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour

ce 32
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 33
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 180
sour 72
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 26
ce
com

pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 44
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 45
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 47
ce
com
pon

ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 30
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 43
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 7-
ed- 181
sour 27
ce
com
pon
ents

Qua NA CVE
lco -
mm 201
clos 8-
ed- 359
sour 0
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 8-
ed- 359
sour 3
ce
com
pon
ents
Qua NA CVE
lco -
mm 201
clos 8-
ed- 358
sour 9
ce
com
pon
ents
Qua NA CVE
lco -

mm 201
clos 8-
ed- 359
sour 4
ce
com
pon
ents

2,8.0,8. 7- function of prevent
1 132 ComposeActivity.ja Compose
94 va, there is a from
confused deputy accepting
that can be used to URIs with
compose an email bad
with a file attachme
attachment from nt paths.
another message.
This could lead to
local information
disclosure of local
files with no
additional
needed. User
interaction is
needed for
exploitation.



2,8.0,8. 7- function of validate
1 132 ComposeActivity.ja applicati
95 va, there is a on label
possible denial of strings.
service due to
improper input
validation. This
could lead to local
denial of service by
preventing the
uninstallation of a
malicious
application with no
additional
needed. User
interaction is not
needed for
exploitation.
Platf 6.0,6.0. CVE In ihevcd_decode The fix is

orm 1 - of ihevcd_decode.c designed
201 there is a possible to move
7- resource the
133 exhaustion due to update
00 an infinite loop. of sps_id
This could lead to a in
denial of service ps_codec
with no additional to the
execution privileges end of
needed. User the
interaction is function
needed for to ensure

exploitation. sps is
complete
ly parsed
to avoid
the
infinite
loop.

orm 1,7.0,7. - ih264d_mv_pred_r designed
1.1,7.1. 201 ef_tfr_nby2_pmb() to
2,8.0,8. 7- of prevent
1 132 ih264d_parse_slice, an out of
96 there is an out of bound
bound read due to read.
a missing bounds
check. This could
lead to a remote
denial of service
with no additional
needed. User
interaction is
needed for
exploitation.

orm 1,7.0,7. - ihevcd_parse_slice designed
1.1,7.1. 201 _header of libhevc, to add a
1 132 out of bounds read check.
97 due to a missing
bounds check. This
could lead to

remote denial of
service with no
additional
needed. User
interaction is
needed for
exploitation.
Platf 6.0,6.0. CVE In FindNAL of The fix is

orm 1,7.0,7. - avc_utils.cpp there designed
1.1,7.1. 201 is a possible out of to add a
2,8.0,8. 7- bounds read due to bounds
1 132 a missing bounds check.
98 check. This could
lead to remote
denial of service
with no additional
needed. User
interaction is
needed for
exploitation.

orm 1,7.0,7. - ih264d_form_scalin designed
1.1,7.1. 201 g_matrix_picture of to avoid
2,8.0,8. 7- ih264d_parse_slice. NULL
1 132 c, there is a null pointer
99 pointer derefere
dereference due to nce.
a missing
initialization. This
could lead to a

remote denial of
service with no
additional
needed. User
interaction is
needed for
exploitation.
Platf 8.0 CVE In the system UI, The fix is

orm - there is a possible designed
201 crash if an to
7- "android:drawable" change
133 in an adaptive icon the stack
01 refers to itself. This overflow
could lead to a local exceptio
permanent denial n to
of service, with no prevent
additional the
execution privileges crash.
needed. User
interaction is not
required for
exploitation.
Platf 8.0 CVE In The fix is

orm - updateLayerBounds designed
201 of to not
7- AdaptiveIconDrawa update
133 ble.java, there is a layer
02 possible infinite bounds if
loop due to the
improper input bounds
validation. This are

could result in a empty,

local permanent preventi
denial of service, ng the
with no additional crash
execution privileges and
needed. User denial of
interaction is not service.
required for
exploitation.
Bro NA CVE In The fix is

adc - wl_cfgvendor_priv_ designed
om 201 string_handler of to
com 7- wl_cfgvendor.c, remove
pon 133 there is a possible the
ents 03 out of bounds read wl_cfgve
due to an incorrect ndor_pri
bounds check. This v_string_
could lead to local handler
information function.
disclosure with
System execution
privileges needed.
User interaction is
not needed for
exploitation.

nel - mnh_mipi_gen3_h designed
201 ost of mnh-mipi.c, to add
04 an incorrect avoid the
bounds check. This out of

could lead to a local bound

information read.
disclosure with
System execution
privileges needed.
User interaction is
not needed for
exploitation.

nel - valid_master_desc designed
201 of encrypted.c, to add
05 missing bounds avoid the
check. This could out of
lead to a local bound
information read.
disclosure with
System execution
privileges needed.
User interaction is
not needed for
exploitation.

nel - __netlink_deliver_t designed
201 ap_skb of to filter
7- af_netlink.c, it is the
174 possible to sniff traffic so
49 Netlink activity that
across net nlmon
namespaces due to can only
a missing sniff

permission check. netlink

This could lead to message
local information s from its
disclosure with own
System execution netns.
privileges needed.
User interaction is
not needed for
exploitation.

nel - mnh_ion_create_b designed
201 uffer of mnh-sm- to add
7- ion.c, there is a use range
133 after free due to and size
06 improper locking. checks
This could lead to and fix
escalation of the
privilege with locking.
System execution
privileges needed.
User interaction is
not needed for
exploitation.

nel - driver_override_sto designed
201 re of pci-sysfs.c, to add
7- there is a possible locking
133 double free due to to avoid
07 a race condition. the race
This could lead to condition
local escalation of .
privilege with

System execution
privileges needed.
User interaction is
not needed for
exploitation.
Ker NA CVE In raw_sendmsg of The fix is

nel - raw.c, there is a designed
201 possible to only
7- uninitialized stack read
177 pointer usage due inet-
12 to a race condition. >hdrincl
This could lead to once in
local escalation of order to
privilege with avoid the
System execution race.
privileges needed.
User interaction is
not needed for
exploitation.
Ker NA CVE In sctp_do_peeloff The fix is

nel - of socket.c, there is designed
201 a possible to fix the
7- escalation of race
151 privilege due to a condition
15 use after free. This by not
could lead to local peeling
escalation of off from
privilege with one
System execution netns to
privileges needed. another
User interaction is one.
not needed for

exploitation.

lco - msm_ispif_get_pac designed
mm 201 k_mask_from_cfg to add
com 8- of bounds
pon 359 drivers/media/platf check.
ents 8 orm/msm/camera_
v2/ispif/msm_ispif.
c, there is a
possible out of
bounds read due to
a missing bounds
check. This could
lead to local
information
disclosure with
System execution
privileges needed.
User interaction is
not needed for
exploitation.

lco - hdd_debugfs_stats designed
mm 201 _update of to proper
com 8- drivers/staging/qca locking
pon 582 cld-3.0/core/hdd/sr to avoid
ents 6 c/wlan_hdd_debug race
fs_llstat.c, there is condition
an out of bounds s.
read due to a race
condition between
reading and

releasing the
debug_fs file
resource. This
could lead to
information
disclosure.

lco - ptt_sock_send_msg designed
mm 201 _to_app of file to add
com 7- qcacld-2.0/CORE/S bounds
pon 158 VC/src/ptt/wlan_p check.
ents 53 tt_sock_svc.c there
is a out of bounds
read due to missing
bounds check. This
could lead to
information
disclosure with
System execution
privilege. User
interaction is not
needed.

lco - rmnet_usb_ctrl_init designed
mm 201 of to not
com 8- drivers/net/usb/rm referenc
pon 358 net_usb_data.c e the
ents 4 there is a use after buffer if
free. This could it’s freed.
lead to information
disclosure with
system execution

privilege. User
interaction is not
needed.
Qua NA CVE In ipa3_wwan_ioctl The fix is

lco - of designed
mm 201 msm/drivers/platfo to add a
com 7- rm/msm/ipa/ipa_v bounds
pon 826 2/rmnet_ipa.c check.
ents 9 there is a out of
bound read due to
missing bounds
check. This could
lead to information
disclosure with
System execution
privilege. User
interaction is not
needed.

lco - nl80211_set_wowl designed
mm 201 an of to add
com 7- net/wireless/nl802 validatio
pon 158 11.c there is an out n policies
ents 37 of bounds read due to avoid
to improper the out
bounds check. This of
could lead to bounds
information read.
disclosure with
system execution
privilege. User
interaction is not

needed.

mm 201 st_match_event_ha to add a
com 8- ndler of bounds
pon 582 core/wma/src/wma check.
ents 3 _scan_roam.c,
there is a possible
OOB write due to a
missing bounds
check. This could
lead to local
escalation of
privilege with no
additional
needed. User
interaction is not
needed for
exploitation.
Qua NA CVE In __ipa_del_hdr of The fix is

lco - drivers/platform/m designed
mm 201 sm/ipa/ipa_hdr.c, to add
com 8- there is a possible proper
pon 582 arbitrary local code validatio
ents 5 execution due to a ns to
use after free. This avoid use
could lead to local after
escalation of free.
privilege with
System execution
privileges needed.

User interaction is
not needed for
exploitation.

lco - ol_rx_frag_indicati designed
mm 201 on_handler of to add a
com 8- CORE/CLD_TXRX/H bounds
pon 582 TT/htt_t2h.c, there check.
ents 4 is a possible OOB
write due to an
unusual root cause.
This could lead to
local escalation of
privilege with no
additional
needed. User
interaction is not
needed for
exploitation.

mm 201 st_match_event_ha to add
com 8- ndler of proper
pon 582 wma_scan_roam.c, bounds
ents 7 there is a possible checking.
out of bounds write
due to an incorrect
bounds check. This
could lead to local
escalation of
privilege with

System execution
privileges needed.
User interaction is
not needed for
exploitation.

lco - wma_sap_ofl_add_ designed
mm 201 sta_handler of QC to add a
com 8- WLAN driver, there bounds
pon 582 is a possible OOB check to
ents 2 write due to a sta_add_
missing bounds event-
check. This could >data_le
lead to local n to
escalation of avoid the
privilege if the OOB
WLAN firmware is write.
compromised.

lco - wma_wow_wakeu designed
mm 201 p_host_event of to add
com 8- wma.c, there is a sanity
pon 582 possible out of check to
a missing bounds sure
check. This could vdev_id
lead to an elevation is less
of privilege with than
system privileges max_bssi
needed. User d before
interaction is not using it
needed for in

exploitation. wma_wo
w_wakeu
p_host_e
vent.

lco - wma_tbttoffset_up designed
mm 201 date_event_handle to add
com 8- r of wma.c, there is sanity
pon 582 a possible out of checks to
an integer sure
overflow. This param_b
could lead to local uf-
escalation of >num_tb
privilege with no ttoffset_l
additional ist does
execution privileges not
needed. User exceed
interaction is not the value
needed for of the
exploitation. buffer.

lco - diag_dci_notify_clie designed
mm 201 nt of to add
com 8- drivers/char/diag/d the
pon 359 iag_dci.c, there is a validatio
ents 9 UAF issue due to n of dci
missing validation client's
of dci client's process
process descriptor. descripto
This could lead to r before
UAF and causing issuing a

EoP. signal to
it.

lco - iw_softap_commit designed
mm 201 of to
com 8- drivers/staging/pri remove
pon 359 ma/CORE/HDD/src/ the
ents 6 wlan_hdd_hostapd. entire
c there is a out of function
bounds write due as it’s
to missing bounds not being
check. This could used.
lead to local
escalation of
privilege with
system execution
privilege. User
interaction is not
needed.
Qua NA CVE In process_tx_info The fix is

lco - of designed
mm 201 core/utils/pktlog/p to add
com 8- ktlog_internal.c, input size
pon 356 there is a possible check
ents 8 out of bounds write and limit
due to a missing the size
bounds check. This in
could lead to local memory
escalation of copy
privilege with no operatio
additional n.

needed. User
interaction is not
needed for
exploitation.

lco - htt_t2h_lp_msg_ha designed
mm 201 ndler of to add a
com 8- core/dp/htt/htt_t2 bounds
pon 356 h.c, there is a check.
ents 7 possible OOB write
due to a missing
bounds check. This
could lead to local
escalation of
privilege with no
additional
needed. User
interaction is not
needed for
exploitation.

lco - wma_extscan_rsp_ designed
mm 201 handler of wma.c, to add a
com 8- there is a possible bounds
pon 582 out of bounds write check.
ents 8 due to a missing
bounds check on
event->vdev_id.
This could lead to
local escalation of
privilege with

System execution
privileges needed.
User interaction is
not needed for
exploitation.

lco - wma_populate_soc designed
mm 201 _caps of to add
com 7- wma_main.c, there bounds
pon 158 is a possible out of checks to
ents 36 bounds write due both
to an integer variables.
overflow caused by
too big value of
num_hw_modes or
num_phy. This
could lead to local
escalation of
privilege with
System execution
User interaction is
not needed for
exploitation.

lco - wma_unified_link_i designed
mm 201 face_stats_event_h to add
com 7- andler of bounds
pon 158 wma_utils.c, there checks.
ents 32 is a possible out of
bounds write due
to a missing bounds

check. This could

lead to local
escalation of
privilege with
System execution
User interaction is
not needed for
exploitation.

lco - wma_beacon_swba designed
mm 201 _handler of to fix the
com 7- wma_mgmt.c, bounds
pon 148 there is a possible checks in
ents 90 out of bounds write the for
if firmware sends a loop that
message with causes
invalid vdev_map the out
value. This could of
lead to local bounds
escalation of write.
privilege with
System execution
User interaction is
not needed for
exploitation.

lco - wma_vdev_start_r designed
mm 201 esp_handler of to add a
com 7- wma_dev_if.c, bounds
pon 148 there is a possible check.

ents 94 out of bounds write

if firmware sends a
response with too
big resp_event-
>vdev_id. This
could lead to local
escalation of
privilege with
System execution
User interaction is
not needed for
exploitation.
Qua NA CVE In multiple The fix is

lco - functions of designed
mm 201 rmnet_ipa.c, there to add
com 7- is a possible race locking.
pon 148 condition due to
ents 80 insufficient locking.
This could lead to
local escalation of
privilege with
System execution
User interaction is
not needed for
exploitation.

lco - wdsp_glink_open designed
mm 201 of wcd-dsp-glink.c, to set
com 7- there is a possible wpriv-
pon 110 use after free due >glink_st

ents 75 to a race condition. ate.link_s

This could lead to tate to
local escalation of prevent
privilege with the race
System execution condition
privileges required. .
User interaction is
not needed for
exploitation.

Stark-L21A 9.0.1.132 (SP52C10E2R1P1) - Russia - Channel - Software Release Notes - Àó +-Á+ - Ú

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Stark-L21A 9.0.1.132 (SP52C10E2R1P1) - Russia - Channel - Software Release Notes - Àó +-Á+ - Ú

Uploaded by

Copyright:

Available Formats

Release Notes Secret

Product name Confidentiality level

Prepared by Saket Anand Date 2019-05-06

Reviewed by Pruthvi J Pallagatti p00268655 Date 2019-05-06

Granted by Abhijith K S a72191 Date 2019-05-06

2022-2-2 All Rights Reserved Page 1 of 106

Huawei Technologies Co., Ltd.

All rights reserved

2022-2-2 All Rights Reserved Page 2 of 106

Date Revisi Software version Change Author

1 STK-LX1 9.0.1.18(C10E2R1P1) TA1 SWX598524

2 STK-LX1 9.0.1.105(SP51C10E2R1P1) TA SWX598524

3 STK-LX1 9.0.1.132(SP52C10E2R1P1) MR SWX598524

1.1 Fixed issues found by Huawei...................................4

1.2 Fixed issues Found by Operator.................................5

2022-2-2 All Rights Reserved Page 3 of 106

1.3 Fixed /Merged FFR/ VOC/ I care issue...........................5

2.1 Fatal / Critical.................................................5

2.2 Serious, Major and Minor.......................................5

3 Software Vulnerabilities Fixes........................................6

2022-2-2 All Rights Reserved Page 4 of 106

current version STK-LX1 9.0.1.132(SP52C10E2R1P1)

Previous version STK-LX1 9.0.1.105(SP51C10E2R1P1)

Android version Android 9

EMUI version EMUI 9.0.1

Baseband version 21C20B388S000C000, 21C20B388S000C000

Kernel version 4.9.111

android@localhost #1 Sat Apr 27 03:50:58

Chipset Hisilicon Kirin 710F

2022-2-2 All Rights Reserved Page 5 of 106

1.1 Fixed issues found by Huawei

2022-2-2 All Rights Reserved Page 6 of 106

DTS2019030412105 according to cloud apk sheet HwHiAIDSEngine.apk should not

DTS2019030111271 In Drawer Mode, Right 1st Screen , AppGalary is missing in

DTS2019030504405 The degree of exposure is inconsistent, the number of

After the multi-scene photos, the overall brightness is low, the

Photographed after the blue sky scene, the saturation of the

accounts for 0.63%.

Pre-self-timer, the overall brightness is low, the proportion of

2022-2-2 All Rights Reserved Page 7 of 106

1.2 Fixed issues Found by Operator

1.3 Fixed /Merged FFR/ VOC/ I care issue

2.1 Fatal / Critical

2022-2-2 All Rights Reserved Page 8 of 106

2.2 Serious, Major and Minor

Minor WFC doesn't work

Minor MTS: short

After the same scene,

the color performance

is inconsistent, the Related to Camera color performance

feedback is 10%, and suggestion

DTS201903050 the feedback sample

4196 Minor is 1.9%.

DTS20190305 Sugges Pre-self-timer, blue Suggestion for camera

2022-2-2 All Rights Reserved Page 9 of 106

and the feedback

Camera edge related issue. Next

10497 tion synthesis

uggestion for face recongisation

HDR scene HDR screen brightness

3 Software Vulnerabilities Fixes

[Software Vulnerabilities include Android Vulnerability, Third-party