CVE-2023-28577

In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use, another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.7 MEDIUM
LOCAL
LOW
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
qualcommCNA
6.7 MEDIUM
LOCAL
LOW
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
VendorProductVersion
qualcommfastconnect_6800_firmware
-
qualcommfastconnect_6900_firmware
-
qualcommfastconnect_7800_firmware
-
qualcommqca6391_firmware
-
qualcommqca6426_firmware
-
qualcommqca6436_firmware
-
qualcommqcn9074_firmware
-
qualcommqcs410_firmware
-
qualcommqcs610_firmware
-
qualcommsd865_5g_firmware
-
qualcommsnapdragon_8_gen_1_firmware
-
qualcommsnapdragon_865_5g_firmware
-
qualcommsnapdragon_865\+_5g_firmware
-
qualcommsnapdragon_870_5g_firmware
-
qualcommsnapdragon_x55_5g_firmware
-
qualcommsnapdragon_xr2_5g_firmware
-
qualcommsw5100_firmware
-
qualcommsw5100p_firmware
-
qualcommsxr2130_firmware
-
qualcommwcd9341_firmware
-
qualcommwcd9370_firmware
-
qualcommwcd9380_firmware
-
qualcommwcn3660b_firmware
-
qualcommwcn3680b_firmware
-
qualcommwcn3950_firmware
-
qualcommwcn3980_firmware
-
qualcommwcn3988_firmware
-
qualcommwsa8810_firmware
-
qualcommwsa8815_firmware
-
qualcommwsa8830_firmware
-
qualcommwsa8835_firmware
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletin
https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletin