Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Race condition vulnerability in the notification service. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Race condition in Huawei HarmonyOS notification service allows local high-privilege attackers to cause limited availability impact through timing-dependent exploitation. CVSS 1.9 reflects minimal real-world risk due to high attack complexity, elevated privileges, and no confidentiality or integrity effects. No public exploit code or active exploitation confirmed.
Technical ContextAI
The vulnerability exists in HarmonyOS notification service as a classic race condition (CWE-362), where concurrent access to shared resources during notification processing creates a window for state manipulation. Attack requires local system access with high privileges (PR:H per CVSS vector), meaning the attacker must already be an administrative or system user. The vulnerability affects resource availability rather than data confidentiality or integrity, limiting practical impact to denial of service of notification functionality.
RemediationAI
Apply the security patch from Huawei's official advisory at https://consumer.huawei.com/en/support/bulletin/2026/4/. Patch availability and specific version numbers should be confirmed via Huawei's support portal. As an interim measure, restrict administrative access and monitor notification service logs for suspicious timing patterns. This vulnerability requires administrative-level access, so principle of least privilege mitigation is effective.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21792
GHSA-wr2h-3c4w-c34q