Skip to main content

OpenHarmony CVE-2026-24792

| EUVDEUVD-2026-30826 HIGH
Signal Handler Race Condition (CWE-364)
2026-05-19 OpenHarmony GHSA-mv6m-pvcq-372p
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 03:45 vuln.today

DescriptionCVE.org

in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps.

AnalysisAI

Remote code execution in OpenHarmony v6.0 and prior versions allows authenticated remote attackers to execute arbitrary code within pre-installed applications through a race condition flaw (CWE-364). The CVSS 8.1 score reflects high confidentiality and availability impact but no integrity impact, and no public exploit has been identified at time of analysis. The vulnerability requires low privileges but no user interaction, making it exploitable across OpenHarmony's distributed device ecosystem including smart devices, wearables, and IoT endpoints running the open-source operating system.

Technical ContextAI

OpenHarmony is an open-source distributed operating system developed under the OpenAtom Foundation, designed for smart devices, IoT endpoints, and consumer electronics across multiple form factors. The affected CPE cpe:2.3:a:openharmony:openharmony covers all OpenHarmony releases up to and including v6.0. The root cause is classified as CWE-364 (Signal Handler Race Condition), which arises when a signal handler accesses shared state that can be concurrently modified, creating a window where an attacker can manipulate program flow during the non-atomic handling of asynchronous signals. In the context of pre-installed apps, this likely affects privileged system components or framework services that handle inter-process communication or system signals, enabling unexpected code paths to be triggered during the race window.

RemediationAI

Patch availability is referenced via the OpenHarmony security disclosure at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md, but a specific fixed version is not stated in the provided data, so consult that advisory for the exact patched release and upgrade affected devices accordingly. As compensating controls until patching is feasible, restrict network exposure of OpenHarmony devices by placing them behind segmented VLANs or firewalls that block untrusted ingress to device service ports, and limit the set of accounts able to authenticate locally or remotely since PR:L exploitation requires at least low-privilege credentials. Where pre-installed apps with network services are not required, disabling those specific services reduces the attack surface, with the trade-off being loss of associated functionality such as remote management or device-to-device interaction.

CVE-2024-37185 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37077 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37030 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36260 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36243 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2026-27648 HIGH
8.8 May 19

Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code wi

CVE-2025-0303 HIGH
8.8 Feb 07

in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sens

CVE-2024-29074 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper in

CVE-2024-22098 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after f

CVE-2024-21860 HIGH
8.8 Feb 02

in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use aft

CVE-2022-42463 HIGH
8.8 Oct 14

OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softb

CVE-2022-38700 HIGH
8.8 Sep 09

OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. Rated high severity (CVSS 8.8), this vulne

Share

CVE-2026-24792 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy