Skip to main content

CVE-2026-34860

| EUVDEUVD-2026-21802 MEDIUM
Improper Access Control (CWE-284)
2026-04-13 huawei GHSA-3pf2-jjmr-vrv6
4.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.1 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 13, 2026 - 04:25 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 04:15 euvd
EUVD-2026-21802
Analysis Generated
Apr 13, 2026 - 04:15 vuln.today
CVE Published
Apr 13, 2026 - 03:49 nvd
MEDIUM 4.1

DescriptionCVE.org

Access control vulnerability in the memo module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

AnalysisAI

Improper access control in Huawei HarmonyOS memo module allows local, unauthenticated users to bypass authentication and read sensitive memo data, affecting confidentiality and system availability. The vulnerability requires user interaction (UI interaction flag set) and involves high attack complexity, resulting in a CVSS score of 4.1. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The vulnerability stems from inadequate access control enforcement (CWE-284: Improper Access Control) within the memo application module of HarmonyOS. The CVSS vector AV:L (local access vector) indicates the attack originates from the local system, and AC:H (high complexity) suggests the memo module fails to properly validate or enforce authentication boundaries when local processes attempt to access memo data. The vulnerability is not related to a third-party library but rather an architectural flaw in HarmonyOS's inter-process communication or storage permission model for the memo subsystem. The CPE specification (cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*) indicates all HarmonyOS versions are potentially affected, though specific version ranges require vendor advisory verification.

RemediationAI

Users and administrators should immediately check the Huawei support bulletins at https://consumer.huawei.com/en/support/bulletin/2026/4/ (phones/tablets) and https://consumer.huawei.com/en/support/bulletinlaptops/2026/4/ (laptops) to identify the patched HarmonyOS version for their device model and apply the update. As a temporary workaround pending patch availability, restrict local access to HarmonyOS devices to trusted users only, disable unnecessary local network services, and review file-system permissions on the memo application's data directory to prevent unauthorized local processes from accessing stored memo content. No specific patch version number is provided in the vendor advisories referenced; contact Huawei support if the latest HarmonyOS build for your device model does not resolve the issue.

Share

CVE-2026-34860 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy