Skip to main content

Openharmony CVE-2025-52458

| EUVDEUVD-2025-208681 MEDIUM
Out-of-bounds Write (CWE-787)
2026-03-16 OpenHarmony
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 09:00 euvd
EUVD-2025-208681
Analysis Generated
Mar 16, 2026 - 09:00 vuln.today
CVE Published
Mar 16, 2026 - 07:10 nvd
MEDIUM 5.5

DescriptionCVE.org

in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios.

AnalysisAI

An out-of-bounds write vulnerability (CWE-787) exists in OpenHarmony versions up to and including v5.1.0, enabling local attackers to execute arbitrary code within pre-installed applications. The vulnerability requires local access and low privileges but can result in complete confidentiality compromise. This is a memory corruption issue that, while restricted to specific scenarios, poses a meaningful risk to OpenHarmony device security given the local attack vector and high impact on confidentiality.

Technical ContextAI

OpenHarmony is an open-source operating system (identified via CPE cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:*) designed for IoT and embedded devices. The vulnerability stems from a CWE-787 (Out-of-bounds Write) condition in memory-handling routines, likely within system libraries or kernel components used by pre-installed applications. Out-of-bounds writes are classic buffer overflow memory corruption issues that allow attackers to overwrite adjacent memory structures, potentially hijacking control flow or modifying sensitive data. The restriction to pre-installed apps and specific scenarios suggests the vulnerability exists within a sandboxed or capability-gated code path rather than in universally accessible kernel code, limiting but not eliminating exploitability.

RemediationAI

Upgrade OpenHarmony to a patched version beyond v5.1.0.x as released by the OpenHarmony project. Consult the official security disclosure at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2025/2025-10.md for specific patch availability and timelines. Until patching is feasible, implement the following mitigations: (1) restrict local user account creation and access on OpenHarmony devices to trusted personnel only, reducing the likelihood of local attacker scenarios; (2) isolate OpenHarmony devices on network segments with restricted outbound access to limit lateral movement if code execution is achieved; (3) monitor process behavior in pre-installed applications for anomalies or unexpected memory access patterns. Prioritize patching for high-risk deployments (connected home devices, medical IoT, industrial controllers).

CVE-2024-37185 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37077 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37030 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36260 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36243 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2026-27648 HIGH
8.8 May 19

Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code wi

CVE-2025-0303 HIGH
8.8 Feb 07

in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sens

CVE-2024-29074 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper in

CVE-2024-22098 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after f

CVE-2024-21860 HIGH
8.8 Feb 02

in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use aft

CVE-2022-42463 HIGH
8.8 Oct 14

OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softb

CVE-2022-38700 HIGH
8.8 Sep 09

OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. Rated high severity (CVSS 8.8), this vulne

Share

CVE-2025-52458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy