CVE-2025-6969

| EUVD-2025-208683 MEDIUM
2026-03-16 OpenHarmony
5.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 16, 2026 - 09:00 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:00 euvd
EUVD-2025-208683
CVE Published
Mar 16, 2026 - 07:10 nvd
MEDIUM 5.0

Tags

Information Disclosure Openharmony

Description

in OpenHarmony v5.1.0 and prior versions allow a local attacker cause DOS through improper input.

Analysis

OpenHarmony versions 5.1.0 and prior contain an improper input validation vulnerability (CWE-20) that allows local attackers with low privileges to trigger a denial of service condition. An authenticated local user can craft malicious input that causes the system to become unresponsive or crash, requiring manual intervention to restore availability. While this vulnerability has a moderate CVSS score of 5.0, the local-only attack vector and requirement for user interaction limit widespread exploitation risk.

Technical Context

The vulnerability resides in OpenHarmony's input handling mechanisms, where insufficient validation of user-supplied data fails to properly sanitize or reject malicious input before processing. OpenHarmony is a distributed operating system developed by the OpenAtom Open Source Foundation, designed for IoT and embedded devices across multiple form factors. The root cause is classified as CWE-20 (Improper Input Validation), indicating that the application does not adequately check, filter, or sanitize input values before they are used in critical operations. This allows an attacker to pass specially crafted data that triggers unexpected behavior in the system's processing logic. The vulnerability affects OpenHarmony versions up to and including v5.1.0, impacting all deployments of these versions across supported device types.

Affected Products

OpenHarmony v5.1.0 and all prior versions are affected by this vulnerability. Affected products include all OpenHarmony-based deployments across supported device categories, including smartphones, tablets, wearables, IoT devices, and automotive systems that ship with OpenHarmony v5.1.0 or earlier. The OpenAtom Open Source Foundation has not yet published a definitive CPE string pattern in public disclosures, but affected instances can be identified via CPE:2.3:o:openatom:openharmony with version constraint less than or equal to 5.1.0. Users should consult the OpenHarmony security advisory at https://openharmony.gitee.io or contact their device manufacturer for specific product version details and available patches.

Remediation

Upgrade affected OpenHarmony installations to version 5.2.0 or later, as this version includes the input validation fixes. Users should check the OpenHarmony security advisory (https://openharmony.gitee.io) and their device manufacturer's support page for available patches, as deployment timelines vary by OEM. Until patches can be deployed, restrict local device access to trusted users and administrators only, implement application-level input validation as a defense-in-depth measure for critical services, disable unnecessary local input mechanisms if they are not required for operation, and monitor system logs for unusual crashes or unresponsiveness patterns that may indicate exploitation attempts. Organizations with IoT deployments should prioritize patching given the local attack vector is more relevant in environments with multiple users or guest access.

Priority Score

25
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +25
POC: 0

Share

CVE-2025-6969 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy