CVE-2023-28576

Summary

The buffer obtained from kernel APIs such as cam_mem_get_cpu_buf() may be readable/writable in userspace after kernel accesses it. In other words, user mode may race and modify the packet header (e.g. header.count), causing checks (e.g. size checks) in kernel code to be invalid. This may lead to out-of-bounds read/write issues.

Affected Software

VendorProductVersion RangeStatus
Qualcomm, Inc.SnapdragonFastConnect 6800affected
Qualcomm, Inc.SnapdragonFastConnect 6900affected
Qualcomm, Inc.SnapdragonFastConnect 7800affected
Qualcomm, Inc.SnapdragonQCA6391affected
Qualcomm, Inc.SnapdragonQCA6426affected
Qualcomm, Inc.SnapdragonQCA6436affected
Qualcomm, Inc.SnapdragonQCN9074affected
Qualcomm, Inc.SnapdragonQCS410affected
Qualcomm, Inc.SnapdragonQCS610affected
Qualcomm, Inc.SnapdragonSD865 5Gaffected
Qualcomm, Inc.SnapdragonSnapdragon 8 Gen 1 Mobile Platformaffected
Qualcomm, Inc.SnapdragonSnapdragon 865 5G Mobile Platformaffected
Qualcomm, Inc.SnapdragonSnapdragon 865+ 5G Mobile Platform (SM8250-AB)affected
Qualcomm, Inc.SnapdragonSnapdragon 870 5G Mobile Platform (SM8250-AC)affected
Qualcomm, Inc.SnapdragonSnapdragon X55 5G Modem-RF Systemaffected
Qualcomm, Inc.SnapdragonSnapdragon XR2 5G Platformaffected
Qualcomm, Inc.SnapdragonSW5100affected
Qualcomm, Inc.SnapdragonSW5100Paffected
Qualcomm, Inc.SnapdragonSXR2130affected
Qualcomm, Inc.SnapdragonWCD9341affected
Qualcomm, Inc.SnapdragonWCD9370affected
Qualcomm, Inc.SnapdragonWCD9380affected
Qualcomm, Inc.SnapdragonWCN3660Baffected
Qualcomm, Inc.SnapdragonWCN3680Baffected
Qualcomm, Inc.SnapdragonWCN3950affected
Qualcomm, Inc.SnapdragonWCN3980affected
Qualcomm, Inc.SnapdragonWCN3988affected
Qualcomm, Inc.SnapdragonWSA8810affected
Qualcomm, Inc.SnapdragonWSA8815affected
Qualcomm, Inc.SnapdragonWSA8830affected
Qualcomm, Inc.SnapdragonWSA8835affected

Weaknesses

  • CWE-367: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References