Skip to main content

CVE-2026-34856

| EUVDEUVD-2026-21800 HIGH
Race Condition (CWE-362)
2026-04-13 huawei GHSA-pvgc-rj6v-rx44
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 05:03 vuln.today
cvss_changed
Analysis Generated
Apr 13, 2026 - 04:24 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 04:15 euvd
EUVD-2026-21800
Analysis Generated
Apr 13, 2026 - 04:15 vuln.today
CVE Published
Apr 13, 2026 - 03:56 nvd
HIGH 7.3

DescriptionCVE.org

UAF vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Use-after-free in Huawei HarmonyOS communication module allows local attackers to cause denial of service and potentially disclose information without authentication. The vulnerability stems from a race condition (CWE-362) enabling memory corruption with high availability impact. EPSS data not available; no public exploit identified at time of analysis. Vendor has released security bulletin with remediation guidance.

Technical ContextAI

This is a use-after-free (UAF) memory corruption vulnerability in HarmonyOS's communication module, classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization - Race Condition). UAF vulnerabilities occur when a program continues to use a memory reference after it has been freed, creating a time-of-check/time-of-use (TOCTOU) race window. In concurrent execution environments like communication modules handling multiple threads or processes, improper synchronization can allow an attacker to manipulate freed memory before reallocation. The affected product is Huawei HarmonyOS (CPE 2.3:a:huawei:harmonyos), Huawei's distributed operating system used across mobile devices, wearables, and IoT products. The communication module likely handles inter-process communication, network protocols, or device-to-device connectivity where race conditions are most prevalent.

RemediationAI

Huawei has published official security bulletins with remediation guidance. Users should immediately review the appropriate bulletin: for HarmonyOS devices visit https://consumer.huawei.com/en/support/bulletin/2026/4/ and for HarmonyOS wearables visit https://consumer.huawei.com/en/support/bulletinwearables/2026/4/. Apply the vendor-supplied security updates through the device's system update mechanism as soon as available. The bulletins should specify exact patched versions for each affected device model. Until patching is complete, mitigating controls include restricting local device access to trusted users only, enabling device encryption and screen locks, and monitoring for unusual application behavior or unexpected system crashes that may indicate exploitation attempts. No effective workarounds exist for race condition vulnerabilities beyond applying the vendor patch.

Share

CVE-2026-34856 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy