Skip to main content

Openharmony CVE-2025-6969

| EUVDEUVD-2025-208683 MEDIUM
Improper Input Validation (CWE-20)
2026-03-16 OpenHarmony
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 09:00 euvd
EUVD-2025-208683
Analysis Generated
Mar 16, 2026 - 09:00 vuln.today
CVE Published
Mar 16, 2026 - 07:10 nvd
MEDIUM 5.0

DescriptionCVE.org

in OpenHarmony v5.1.0 and prior versions allow a local attacker cause DOS through improper input.

AnalysisAI

OpenHarmony versions 5.1.0 and prior contain an improper input validation vulnerability (CWE-20) that allows local attackers with low privileges to trigger a denial of service condition. An authenticated local user can craft malicious input that causes the system to become unresponsive or crash, requiring manual intervention to restore availability. While this vulnerability has a moderate CVSS score of 5.0, the local-only attack vector and requirement for user interaction limit widespread exploitation risk.

Technical ContextAI

The vulnerability resides in OpenHarmony's input handling mechanisms, where insufficient validation of user-supplied data fails to properly sanitize or reject malicious input before processing. OpenHarmony is a distributed operating system developed by the OpenAtom Open Source Foundation, designed for IoT and embedded devices across multiple form factors. The root cause is classified as CWE-20 (Improper Input Validation), indicating that the application does not adequately check, filter, or sanitize input values before they are used in critical operations. This allows an attacker to pass specially crafted data that triggers unexpected behavior in the system's processing logic. The vulnerability affects OpenHarmony versions up to and including v5.1.0, impacting all deployments of these versions across supported device types.

RemediationAI

Upgrade affected OpenHarmony installations to version 5.2.0 or later, as this version includes the input validation fixes. Users should check the OpenHarmony security advisory (https://openharmony.gitee.io) and their device manufacturer's support page for available patches, as deployment timelines vary by OEM. Until patches can be deployed, restrict local device access to trusted users and administrators only, implement application-level input validation as a defense-in-depth measure for critical services, disable unnecessary local input mechanisms if they are not required for operation, and monitor system logs for unusual crashes or unresponsiveness patterns that may indicate exploitation attempts. Organizations with IoT deployments should prioritize patching given the local attack vector is more relevant in environments with multiple users or guest access.

CVE-2024-37185 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37077 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37030 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36260 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36243 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2026-27648 HIGH
8.8 May 19

Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code wi

CVE-2025-0303 HIGH
8.8 Feb 07

in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sens

CVE-2024-29074 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper in

CVE-2024-22098 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after f

CVE-2024-21860 HIGH
8.8 Feb 02

in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use aft

CVE-2022-42463 HIGH
8.8 Oct 14

OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softb

CVE-2022-38700 HIGH
8.8 Sep 09

OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. Rated high severity (CVSS 8.8), this vulne

Share

CVE-2025-6969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy