Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Race condition in Huawei HarmonyOS thermal management module allows local authenticated users to disclose information and modify system integrity through concurrent access exploitation. An attacker with high privileges can trigger a timing-dependent race condition to achieve information disclosure, integrity compromise, and potential availability impact. CVSS 6.3 reflects the attack's requirement for high privilege escalation and local access, though the integrity impact (I:H) signals significant potential for system manipulation despite the officially stated availability focus.
Technical ContextAI
The vulnerability exists in HarmonyOS's thermal management subsystem, which is responsible for monitoring and regulating device temperature through CPU frequency scaling, fan control, and thermal throttling. Race conditions (CWE-362) occur when multiple execution threads or processes access shared thermal state variables without proper synchronization mechanisms, creating a time-of-check-to-time-of-use (TOCTOU) window. An attacker exploiting this window can read sensitive thermal sensor data or bypass thermal limits before mitigation is applied, potentially exposing device operational state information and enabling manipulation of thermal policies that protect hardware integrity.
RemediationAI
Apply the security update released by Huawei as described in the official security bulletins at https://consumer.huawei.com/en/support/bulletin/2026/4/ (for general HarmonyOS devices) and https://consumer.huawei.com/en/support/bulletinwearables/2026/4/ (for wearable devices). Specific patch version numbers are not independently confirmed in available data; users should follow Huawei's staged rollout schedule and device-specific update instructions. As an interim mitigation, restrict administrative access to trusted accounts only and monitor thermal management logs for anomalous concurrent access patterns, though no complete workaround exists for the race condition itself.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21840
GHSA-f62w-wrrf-x26f