Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps.
AnalysisAI
Remote code execution in OpenHarmony v6.0 and prior versions allows authenticated remote attackers to execute arbitrary code within pre-installed applications through a race condition flaw (CWE-364). The CVSS 8.1 score reflects high confidentiality and availability impact but no integrity impact, and no public exploit has been identified at time of analysis. The vulnerability requires low privileges but no user interaction, making it exploitable across OpenHarmony's distributed device ecosystem including smart devices, wearables, and IoT endpoints running the open-source operating system.
Technical ContextAI
OpenHarmony is an open-source distributed operating system developed under the OpenAtom Foundation, designed for smart devices, IoT endpoints, and consumer electronics across multiple form factors. The affected CPE cpe:2.3:a:openharmony:openharmony covers all OpenHarmony releases up to and including v6.0. The root cause is classified as CWE-364 (Signal Handler Race Condition), which arises when a signal handler accesses shared state that can be concurrently modified, creating a window where an attacker can manipulate program flow during the non-atomic handling of asynchronous signals. In the context of pre-installed apps, this likely affects privileged system components or framework services that handle inter-process communication or system signals, enabling unexpected code paths to be triggered during the race window.
RemediationAI
Patch availability is referenced via the OpenHarmony security disclosure at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md, but a specific fixed version is not stated in the provided data, so consult that advisory for the exact patched release and upgrade affected devices accordingly. As compensating controls until patching is feasible, restrict network exposure of OpenHarmony devices by placing them behind segmented VLANs or firewalls that block untrusted ingress to device service ports, and limit the set of accounts able to authenticate locally or remotely since PR:L exploitation requires at least low-privilege credentials. Where pre-installed apps with network services are not required, disabling those specific services reduces the attack surface, with the trade-off being loss of associated functionality such as remote management or device-to-device interaction.
More in Openharmony
View allin OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code wi
in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sens
in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper in
in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after f
in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use aft
OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softb
OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. Rated high severity (CVSS 8.8), this vulne
Same weakness CWE-364 – Signal Handler Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30826
GHSA-mv6m-pvcq-372p