Skip to main content

OpenHarmony CVE-2026-27766

| EUVDEUVD-2026-30830 MEDIUM
Signal Handler Race Condition (CWE-364)
2026-05-19 OpenHarmony GHSA-382c-r87v-m473
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 03:48 vuln.today

DescriptionCVE.org

in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak.

AnalysisAI

Information disclosure in OpenHarmony v6.0 and earlier enables a low-privileged local attacker to leak high-sensitivity data from the system without any user interaction. The root cause is a signal handler race condition (CWE-364), where asynchronous signal delivery can expose protected memory contents while leaving system integrity and availability unaffected. No public exploit code has been identified at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

The vulnerability is rooted in CWE-364, a signal handler race condition. Signal handlers in POSIX-compliant operating systems are invoked asynchronously when a process receives a signal, interrupting normal execution at non-deterministic points. If a signal handler accesses shared state or memory regions that are also manipulated by the main execution context - without proper synchronization primitives - an attacker with the ability to send signals can exploit the timing window to cause unintended reads of sensitive memory. OpenHarmony is Huawei's open-source distributed OS targeting IoT, embedded, and mobile device categories. The CPE string cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:* confirms the vulnerability spans all tracked versions of the platform up to and including v6.0. The specific internal component or subsystem containing the vulnerable signal handler is not identified in the available description, as the text appears truncated.

RemediationAI

Consult the OpenHarmony May 2026 security advisory at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-05.md to identify the specific patched release and apply the vendor-supplied update as the primary remediation. A patch is referenced by the vendor advisory; however, the exact fixed version number is not independently confirmed in the available intelligence - verify the minimum safe version directly from the advisory before upgrading. As compensating controls where immediate patching is not feasible: restrict the number of low-privilege local accounts or processes on affected devices, enforce strict process isolation to prevent unprivileged processes from sending signals to sensitive system processes (e.g., via seccomp or SELinux policy on compatible configurations), and audit which processes handle signals while accessing sensitive memory. Note that signal-filtering policies may affect legitimate inter-process communication and should be tested for operational impact before deployment.

CVE-2024-37185 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37077 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37030 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36260 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36243 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2026-27648 HIGH
8.8 May 19

Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code wi

CVE-2025-0303 HIGH
8.8 Feb 07

in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sens

CVE-2024-29074 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper in

CVE-2024-22098 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after f

CVE-2024-21860 HIGH
8.8 Feb 02

in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use aft

CVE-2022-42463 HIGH
8.8 Oct 14

OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softb

CVE-2022-38700 HIGH
8.8 Sep 09

OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. Rated high severity (CVSS 8.8), this vulne

Share

CVE-2026-27766 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy