Skip to main content

OpenHarmony CVE-2026-25781

| EUVDEUVD-2026-30832 HIGH
Out-of-bounds Write (CWE-787)
2026-05-19 OpenHarmony GHSA-7f33-7337-2rhg
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 03:46 vuln.today

DescriptionCVE.org

in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS and it cannot be recovered.

AnalysisAI

Out-of-bounds write in OpenHarmony v6.0 and earlier enables a local low-privileged attacker to corrupt memory and trigger an unrecoverable denial-of-service condition on affected devices. The flaw was disclosed by the OpenHarmony project itself, and no public exploit identified at time of analysis. Although CVSS scores it 8.4 (High) due to scope change and high confidentiality/integrity impact, the vector indicates local-only access with low privileges already required.

Technical ContextAI

OpenHarmony is the open-source distributed operating system led by the OpenAtom Foundation, used in IoT, smart-home, automotive, and embedded devices across the Huawei HarmonyOS ecosystem. The root cause is CWE-787 (Out-of-bounds Write), a class of memory-corruption bug where code writes data past the bounds of an allocated buffer; the project's own tags also identify it as a buffer overflow and memory-corruption issue. CPE coverage (cpe:2.3:a:openharmony:openharmony:*) is wildcard across versions, with the advisory scoping impact to v6.0 and prior. Scope:Changed in the CVSS vector indicates the corrupted component can affect resources beyond its own security boundary, which on OpenHarmony typically maps to crossing a process or capability boundary inside the microkernel/multi-kernel architecture.

RemediationAI

No exact fixed version was supplied in the input data, so treat patch status as: patch available per vendor advisory - consult the OpenHarmony security disclosure at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-05.md for the specific commit or release tag and upgrade to the first OpenHarmony build that incorporates the fix. As compensating controls until the patch is rolled out, restrict which local user accounts and pre-installed applications hold the privilege level required to reach the vulnerable code path (PR:L), tighten SELinux/permission policy on the affected component, disable or sandbox third-party apps that do not need to run on the device, and for IoT/embedded deployments avoid shipping shared-user or developer-mode builds to production - the trade-off is reduced flexibility for on-device tooling and side-loaded apps.

CVE-2024-37185 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37077 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37030 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36260 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36243 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2026-27648 HIGH
8.8 May 19

Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code wi

CVE-2025-0303 HIGH
8.8 Feb 07

in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sens

CVE-2024-29074 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper in

CVE-2024-22098 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after f

CVE-2024-21860 HIGH
8.8 Feb 02

in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use aft

CVE-2022-42463 HIGH
8.8 Oct 14

OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softb

CVE-2022-38700 HIGH
8.8 Sep 09

OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. Rated high severity (CVSS 8.8), this vulne

Share

CVE-2026-25781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy