Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
in OpenHarmony v5.1.0 and prior versions allow a local attacker cause DOS through improper input.
AnalysisAI
OpenHarmony versions 5.1.0 and prior contain an improper input validation vulnerability (CWE-20) that allows local attackers with low privileges to trigger a denial of service condition. An authenticated local user can craft malicious input that causes the system to become unresponsive or crash, requiring manual intervention to restore availability. While this vulnerability has a moderate CVSS score of 5.0, the local-only attack vector and requirement for user interaction limit widespread exploitation risk.
Technical ContextAI
The vulnerability resides in OpenHarmony's input handling mechanisms, where insufficient validation of user-supplied data fails to properly sanitize or reject malicious input before processing. OpenHarmony is a distributed operating system developed by the OpenAtom Open Source Foundation, designed for IoT and embedded devices across multiple form factors. The root cause is classified as CWE-20 (Improper Input Validation), indicating that the application does not adequately check, filter, or sanitize input values before they are used in critical operations. This allows an attacker to pass specially crafted data that triggers unexpected behavior in the system's processing logic. The vulnerability affects OpenHarmony versions up to and including v5.1.0, impacting all deployments of these versions across supported device types.
RemediationAI
Upgrade affected OpenHarmony installations to version 5.2.0 or later, as this version includes the input validation fixes. Users should check the OpenHarmony security advisory (https://openharmony.gitee.io) and their device manufacturer's support page for available patches, as deployment timelines vary by OEM. Until patches can be deployed, restrict local device access to trusted users and administrators only, implement application-level input validation as a defense-in-depth measure for critical services, disable unnecessary local input mechanisms if they are not required for operation, and monitor system logs for unusual crashes or unresponsiveness patterns that may indicate exploitation attempts. Organizations with IoT deployments should prioritize patching given the local attack vector is more relevant in environments with multiple users or guest access.
More in Openharmony
View allin OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code wi
in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sens
in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper in
in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after f
in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use aft
OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softb
OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. Rated high severity (CVSS 8.8), this vulne
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208683