Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
5DescriptionCVE.org
UAF vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Use-after-free in Huawei HarmonyOS communication module allows local attackers to cause denial of service and potentially disclose information without authentication. The vulnerability stems from a race condition (CWE-362) enabling memory corruption with high availability impact. EPSS data not available; no public exploit identified at time of analysis. Vendor has released security bulletin with remediation guidance.
Technical ContextAI
This is a use-after-free (UAF) memory corruption vulnerability in HarmonyOS's communication module, classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization - Race Condition). UAF vulnerabilities occur when a program continues to use a memory reference after it has been freed, creating a time-of-check/time-of-use (TOCTOU) race window. In concurrent execution environments like communication modules handling multiple threads or processes, improper synchronization can allow an attacker to manipulate freed memory before reallocation. The affected product is Huawei HarmonyOS (CPE 2.3:a:huawei:harmonyos), Huawei's distributed operating system used across mobile devices, wearables, and IoT products. The communication module likely handles inter-process communication, network protocols, or device-to-device connectivity where race conditions are most prevalent.
RemediationAI
Huawei has published official security bulletins with remediation guidance. Users should immediately review the appropriate bulletin: for HarmonyOS devices visit https://consumer.huawei.com/en/support/bulletin/2026/4/ and for HarmonyOS wearables visit https://consumer.huawei.com/en/support/bulletinwearables/2026/4/. Apply the vendor-supplied security updates through the device's system update mechanism as soon as available. The bulletins should specify exact patched versions for each affected device model. Until patching is complete, mitigating controls include restricting local device access to trusted users only, enabling device encryption and screen locks, and monitoring for unusual application behavior or unexpected system crashes that may indicate exploitation attempts. No effective workarounds exist for race condition vulnerabilities beyond applying the vendor patch.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21800
GHSA-pvgc-rj6v-rx44