Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS.
AnalysisAI
Local denial-of-service in OpenHarmony v6.0 and prior versions exploits an improper input validation flaw (CWE-20), allowing a low-privileged local attacker to partially disrupt availability without requiring user interaction. The CVSS score of 3.3 (Low) reflects constrained impact: availability impact is rated Low (A:L), with no confidentiality or integrity loss. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the lower tier of operational urgency.
Technical ContextAI
OpenHarmony is the open-source distributed operating system developed under the OpenAtom Foundation (originally Huawei-backed), targeting IoT, embedded, and mobile device deployments. The affected CPE (cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:*) covers all versions up to and including v6.0 without version-specific bounding on the lower end. CWE-20 (Improper Input Validation) indicates the root cause is failure to adequately check, sanitize, or constrain attacker-supplied input before it is processed - a class of flaw that, when triggered locally, can cause abnormal termination or resource exhaustion in affected components. The exact internal component or subsystem containing the vulnerable input path is not identified in the available data, as the CVE description is structurally incomplete (missing the subject/component noun).
RemediationAI
Consult the OpenHarmony April 2026 security disclosure at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md for the vendor-confirmed patched release version - an exact fix version is not independently confirmed from the data provided and should not be inferred. Apply the vendor-released patch once identified and tested for your deployment target. As a compensating control pending patching, restrict local shell or application-layer access on OpenHarmony devices to only trusted, necessary accounts, reducing the pool of principals capable of triggering the flaw. Given the local-only attack vector, network-level mitigations provide no protective value here. The low severity and lack of active exploitation make emergency patching unnecessary for most deployments, but standard patch cycles should include this fix.
More in Openharmony
View allin OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code wi
in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sens
in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper in
in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after f
in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use aft
OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softb
OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. Rated high severity (CVSS 8.8), this vulne
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30827
GHSA-7gq8-55gr-wpmv