The MediaTek WLAN driver has VFS read handlers that do not check buffer size leading to userland memory corruption.
e02f5b1f1d435ca3340b9ddef6433031cb241ad315800f041e8e425d3ac596dd
An out-of-bounds read / write due to missing bounds check in the mtk-jpeg driver can lead to memory corruption and potential escalation of privileges.
e41201a7980c88fc58347c600192d9a70df411c527756cf6c4ba17ebb7bb7705
A race condition in the Android mtk_jpeg driver can lead to memory corruption and potential local privilege escalation.
b9bbc877dec293cdae380289c906920975d5c1e2eb6ec78818aa966c315357ce
There is a race condition in edgetpu_pin_user_pages which is reachable from some unprivileged contexts, including the Camera app, or the Google Meet app.
f2c097f59fbb9a93bf14610f9faf8be4d99e83e00ca52f16c11b8af6ef496e22
A vb2_mmap race with vb2_core_reqbufs leads to a use-after-free vulnerability in the Linux videobuf2 system.
d61a2203442211de402e6420b838d2d46c53994de2af84b1f343bfe1d3ad0231
An unsafe use of follow_pfn in get_vaddr_frames in videobuf2 on Linux leads to use-after-free issues or writes to ro-pages.
f545295793aea2d033e2e1720bb35ac7db855bcaa8fafcd55848d3dffe8ce90b