Skip to main content

OpenHarmony CVE-2026-27781

| EUVDEUVD-2026-30828 LOW
Integer Overflow or Wraparound (CWE-190)
2026-05-19 OpenHarmony GHSA-ghh2-q8rr-q487
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 03:47 vuln.today

DescriptionCVE.org

in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS.

AnalysisAI

Integer overflow in OpenHarmony v6.0 and prior versions enables a local authenticated attacker to trigger a denial-of-service condition, resulting in an availability impact. The vulnerability is low severity with a CVSS score of 3.3, requires local access with low privileges, and no public exploit or active exploitation has been identified at time of analysis. Notably, the CVE tags include 'Information Disclosure' despite the CVSS vector indicating no confidentiality impact (C:N), a discrepancy that warrants vendor clarification.

Technical ContextAI

OpenHarmony is an open-source distributed operating system developed under the OpenAtom Foundation, targeting IoT and embedded devices. The root cause is CWE-190 (Integer Overflow or Wraparound), a class of vulnerability where arithmetic operations produce values that exceed the bounds of the integer type, wrapping to unexpected values. In this context, the overflow likely occurs within a kernel or system service component, allowing a local process to trigger abnormal resource exhaustion or process crash. The affected product is identified via CPE cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:*, covering all versions up to and including v6.0. The exact component or subsystem containing the overflow is not specified in available data.

RemediationAI

Consult the OpenHarmony security disclosure for April 2026 at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md to obtain the patched release version - no specific fix version number is confirmed in available data, so the exact upgrade target should be derived from that advisory. As a compensating control, restrict shell or local process access to untrusted users on OpenHarmony-based devices, as exploitation requires a locally authenticated low-privilege account. Limiting the attack surface by enforcing least-privilege user policies and disabling unnecessary local user accounts reduces exposure. Note that these controls address the privilege prerequisite but do not eliminate the underlying integer overflow.

CVE-2024-37185 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37077 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37030 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36260 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36243 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2026-27648 HIGH
8.8 May 19

Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code wi

CVE-2025-0303 HIGH
8.8 Feb 07

in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sens

CVE-2024-29074 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper in

CVE-2024-22098 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after f

CVE-2024-21860 HIGH
8.8 Feb 02

in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use aft

CVE-2022-42463 HIGH
8.8 Oct 14

OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softb

CVE-2022-38700 HIGH
8.8 Sep 09

OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. Rated high severity (CVSS 8.8), this vulne

Share

CVE-2026-27781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy