Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H
Lifecycle Timeline
4DescriptionCVE.org
Stack overflow vulnerability in the media platform. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Stack overflow in HarmonyOS media platform allows authenticated local attackers to cause denial of service and potentially achieve limited information disclosure or integrity compromise through malicious user interaction. CVSS 6.1 reflects moderate severity with local attack vector, low complexity, and requirement for user interaction; EPSS and KEV status not provided. No public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
The vulnerability exists in HarmonyOS media platform handling, specifically involving stack memory exhaustion (CWE-835: Infinite Loop) within media processing routines. The affected component processes user-supplied media data that triggers unbounded recursion or iteration, causing stack overflow. HarmonyOS spans multiple device classes (smartphones, wearables, laptops per referenced bulletins), all using the same underlying media stack. The local attack vector combined with user interaction requirement (UI:R in CVSS vector) indicates the attacker must either have local system access or trick a user into opening malicious media content. Authenticated privilege requirement (PR:L) further restricts exposure to users already logged into the system.
RemediationAI
Huawei has released patches for affected HarmonyOS versions distributed through separate security bulletins for each device class. Consumers should navigate to their device-specific bulletin (consumer.huawei.com support section for phones, wearables, or laptops) and apply the recommended security update. Update procedures vary by device type; follow the device-specific instructions provided in the bulletin. As an interim measure, avoid opening untrusted or suspicious media files from unknown sources, and restrict local system access to trusted users only. Patch availability per vendor advisory; exact fix versions are enumerated in the Huawei bulletins.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21796
GHSA-7qf2-g97r-ch8v