Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
UAF vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Use-after-free vulnerability in Huawei HarmonyOS communication module allows authenticated local attackers with high privileges to trigger denial of service and disclose limited information via a race condition. CVSS score 4.7 reflects the high privilege requirement and local attack vector, though the vulnerability impacts both availability and confidentiality. No public exploit code or active exploitation has been confirmed at this time.
Technical ContextAI
The vulnerability is a use-after-free (UAF) condition classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization, also known as race conditions). UAF occurs when freed memory is referenced after deallocation, typically enabling information disclosure or code execution. In this case, the flaw exists in Huawei HarmonyOS's communication module and is triggered through a race condition where concurrent execution paths reference shared resources without proper synchronization. The attacker must possess high privileges (PR:H in CVSS) and have local access (AV:L), significantly limiting the threat surface. The high attack complexity (AC:H) indicates that specific timing or conditions must be met to reliably trigger the vulnerability. While CVSS impact assessment lists availability as the primary concern, the vector notation (C:L) also indicates potential limited information disclosure.
RemediationAI
Huawei has published security bulletins addressing this vulnerability for HarmonyOS consumer products, wearables, and vision devices. Organizations should prioritize firmware updates released by Huawei corresponding to their device categories by consulting the three advisory URLs: consumer support bulletin (consumer.huawei.com/en/support/bulletin/2026/4/), wearables bulletin (consumer.huawei.com/en/support/bulletinwearables/2026/4/), and vision devices bulletin (consumer.huawei.com/en/support/bulletinvision/2026/4/). Detailed patch versions are not independently confirmed in the available data; device owners should download the latest stable firmware build for their specific device model from Huawei's official support channels. As a temporary measure, restrict local administrative access to HarmonyOS systems to trusted personnel only, as the vulnerability requires high privilege execution.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21834