Severity by source
AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Access control vulnerability in the memo module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
AnalysisAI
Improper access control in Huawei HarmonyOS memo module allows local, unauthenticated users to bypass authentication and read sensitive memo data, affecting confidentiality and system availability. The vulnerability requires user interaction (UI interaction flag set) and involves high attack complexity, resulting in a CVSS score of 4.1. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
The vulnerability stems from inadequate access control enforcement (CWE-284: Improper Access Control) within the memo application module of HarmonyOS. The CVSS vector AV:L (local access vector) indicates the attack originates from the local system, and AC:H (high complexity) suggests the memo module fails to properly validate or enforce authentication boundaries when local processes attempt to access memo data. The vulnerability is not related to a third-party library but rather an architectural flaw in HarmonyOS's inter-process communication or storage permission model for the memo subsystem. The CPE specification (cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*) indicates all HarmonyOS versions are potentially affected, though specific version ranges require vendor advisory verification.
RemediationAI
Users and administrators should immediately check the Huawei support bulletins at https://consumer.huawei.com/en/support/bulletin/2026/4/ (phones/tablets) and https://consumer.huawei.com/en/support/bulletinlaptops/2026/4/ (laptops) to identify the patched HarmonyOS version for their device model and apply the update. As a temporary workaround pending patch availability, restrict local access to HarmonyOS devices to trusted users only, disable unnecessary local network services, and review file-system permissions on the memo application's data directory to prevent unauthorized local processes from accessing stored memo content. No specific patch version number is provided in the vendor advisories referenced; contact Huawei support if the latest HarmonyOS build for your device model does not resolve the issue.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21802
GHSA-3pf2-jjmr-vrv6