Skip to main content

OpenHarmony CVE-2026-28751

| EUVDEUVD-2026-30827 LOW
Improper Input Validation (CWE-20)
2026-05-19 OpenHarmony GHSA-7gq8-55gr-wpmv
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 03:47 vuln.today

DescriptionCVE.org

in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS.

AnalysisAI

Local denial-of-service in OpenHarmony v6.0 and prior versions exploits an improper input validation flaw (CWE-20), allowing a low-privileged local attacker to partially disrupt availability without requiring user interaction. The CVSS score of 3.3 (Low) reflects constrained impact: availability impact is rated Low (A:L), with no confidentiality or integrity loss. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the lower tier of operational urgency.

Technical ContextAI

OpenHarmony is the open-source distributed operating system developed under the OpenAtom Foundation (originally Huawei-backed), targeting IoT, embedded, and mobile device deployments. The affected CPE (cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:*) covers all versions up to and including v6.0 without version-specific bounding on the lower end. CWE-20 (Improper Input Validation) indicates the root cause is failure to adequately check, sanitize, or constrain attacker-supplied input before it is processed - a class of flaw that, when triggered locally, can cause abnormal termination or resource exhaustion in affected components. The exact internal component or subsystem containing the vulnerable input path is not identified in the available data, as the CVE description is structurally incomplete (missing the subject/component noun).

RemediationAI

Consult the OpenHarmony April 2026 security disclosure at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md for the vendor-confirmed patched release version - an exact fix version is not independently confirmed from the data provided and should not be inferred. Apply the vendor-released patch once identified and tested for your deployment target. As a compensating control pending patching, restrict local shell or application-layer access on OpenHarmony devices to only trusted, necessary accounts, reducing the pool of principals capable of triggering the flaw. Given the local-only attack vector, network-level mitigations provide no protective value here. The low severity and lack of active exploitation make emergency patching unnecessary for most deployments, but standard patch cycles should include this fix.

CVE-2024-37185 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37077 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-37030 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36260 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2024-36243 CRITICAL
9.8 Jul 02

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through

CVE-2026-27648 HIGH
8.8 May 19

Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code wi

CVE-2025-0303 HIGH
8.8 Feb 07

in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sens

CVE-2024-29074 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper in

CVE-2024-22098 HIGH
8.8 Apr 02

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after f

CVE-2024-21860 HIGH
8.8 Feb 02

in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use aft

CVE-2022-42463 HIGH
8.8 Oct 14

OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softb

CVE-2022-38700 HIGH
8.8 Sep 09

OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. Rated high severity (CVSS 8.8), this vulne

Share

CVE-2026-28751 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy