Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
UAF vulnerability in the screen management module. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Use-after-free vulnerability in HarmonyOS screen management module allows local, unauthenticated attackers with user interaction to cause denial of service through a race condition. CVSS score of 2.5 reflects low severity with availability impact only; no confidentiality or integrity compromise. No public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
The vulnerability exists in HarmonyOS screen management module as a use-after-free (CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization) condition. UAF vulnerabilities occur when a program references memory that has been freed, typically due to improper synchronization between concurrent operations or inadequate lifecycle management. In this case, a race condition in screen resource management allows an attacker to access or manipulate freed memory objects. The attack requires local access and user interaction (triggering UI actions), making it a client-side vulnerability rather than a network-facing one. The race condition nature suggests the vulnerability manifests under specific timing windows during concurrent screen state transitions.
RemediationAI
Apply the security patch released by Huawei through the official security bulletin at https://consumer.huawei.com/en/support/bulletin/2026/4/. Users should check the bulletin for their specific device model to obtain the patched HarmonyOS version, as fix versions vary by device hardware platform. Enable automatic system updates to receive patches as released. Until patching is possible, minimize use of screen management features and close unnecessary applications to reduce likelihood of triggering the race condition during concurrent screen state transitions, though this is not a reliable workaround.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21829