Skip to main content

CVE-2026-34857

| EUVDEUVD-2026-21834 MEDIUM
Race Condition (CWE-362)
2026-04-13 huawei
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 13, 2026 - 05:27 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 05:15 euvd
EUVD-2026-21834
Analysis Generated
Apr 13, 2026 - 05:15 vuln.today
CVE Published
Apr 13, 2026 - 04:05 nvd
MEDIUM 4.7

DescriptionCVE.org

UAF vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Use-after-free vulnerability in Huawei HarmonyOS communication module allows authenticated local attackers with high privileges to trigger denial of service and disclose limited information via a race condition. CVSS score 4.7 reflects the high privilege requirement and local attack vector, though the vulnerability impacts both availability and confidentiality. No public exploit code or active exploitation has been confirmed at this time.

Technical ContextAI

The vulnerability is a use-after-free (UAF) condition classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization, also known as race conditions). UAF occurs when freed memory is referenced after deallocation, typically enabling information disclosure or code execution. In this case, the flaw exists in Huawei HarmonyOS's communication module and is triggered through a race condition where concurrent execution paths reference shared resources without proper synchronization. The attacker must possess high privileges (PR:H in CVSS) and have local access (AV:L), significantly limiting the threat surface. The high attack complexity (AC:H) indicates that specific timing or conditions must be met to reliably trigger the vulnerability. While CVSS impact assessment lists availability as the primary concern, the vector notation (C:L) also indicates potential limited information disclosure.

RemediationAI

Huawei has published security bulletins addressing this vulnerability for HarmonyOS consumer products, wearables, and vision devices. Organizations should prioritize firmware updates released by Huawei corresponding to their device categories by consulting the three advisory URLs: consumer support bulletin (consumer.huawei.com/en/support/bulletin/2026/4/), wearables bulletin (consumer.huawei.com/en/support/bulletinwearables/2026/4/), and vision devices bulletin (consumer.huawei.com/en/support/bulletinvision/2026/4/). Detailed patch versions are not independently confirmed in the available data; device owners should download the latest stable firmware build for their specific device model from Huawei's official support channels. As a temporary measure, restrict local administrative access to HarmonyOS systems to trusted personnel only, as the vulnerability requires high privilege execution.

Share

CVE-2026-34857 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy