Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS.
AnalysisAI
Integer overflow in OpenHarmony v6.0 and prior versions enables a local authenticated attacker to trigger a denial-of-service condition, resulting in an availability impact. The vulnerability is low severity with a CVSS score of 3.3, requires local access with low privileges, and no public exploit or active exploitation has been identified at time of analysis. Notably, the CVE tags include 'Information Disclosure' despite the CVSS vector indicating no confidentiality impact (C:N), a discrepancy that warrants vendor clarification.
Technical ContextAI
OpenHarmony is an open-source distributed operating system developed under the OpenAtom Foundation, targeting IoT and embedded devices. The root cause is CWE-190 (Integer Overflow or Wraparound), a class of vulnerability where arithmetic operations produce values that exceed the bounds of the integer type, wrapping to unexpected values. In this context, the overflow likely occurs within a kernel or system service component, allowing a local process to trigger abnormal resource exhaustion or process crash. The affected product is identified via CPE cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:*, covering all versions up to and including v6.0. The exact component or subsystem containing the overflow is not specified in available data.
RemediationAI
Consult the OpenHarmony security disclosure for April 2026 at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md to obtain the patched release version - no specific fix version number is confirmed in available data, so the exact upgrade target should be derived from that advisory. As a compensating control, restrict shell or local process access to untrusted users on OpenHarmony-based devices, as exploitation requires a locally authenticated low-privilege account. Limiting the attack surface by enforcing least-privilege user policies and disabling unnecessary local user accounts reduces exposure. Note that these controls address the privilege prerequisite but do not eliminate the underlying integer overflow.
More in Openharmony
View allin OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code wi
in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sens
in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper in
in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after f
in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use aft
OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softb
OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. Rated high severity (CVSS 8.8), this vulne
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30828
GHSA-ghh2-q8rr-q487