Skip to main content

CVE-2026-34861

| EUVDEUVD-2026-21840 MEDIUM
Race Condition (CWE-362)
2026-04-13 huawei GHSA-f62w-wrrf-x26f
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 13, 2026 - 05:27 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 05:15 euvd
EUVD-2026-21840
Analysis Generated
Apr 13, 2026 - 05:15 vuln.today
CVE Published
Apr 13, 2026 - 04:08 nvd
MEDIUM 6.3

DescriptionCVE.org

Race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Race condition in Huawei HarmonyOS thermal management module allows local authenticated users to disclose information and modify system integrity through concurrent access exploitation. An attacker with high privileges can trigger a timing-dependent race condition to achieve information disclosure, integrity compromise, and potential availability impact. CVSS 6.3 reflects the attack's requirement for high privilege escalation and local access, though the integrity impact (I:H) signals significant potential for system manipulation despite the officially stated availability focus.

Technical ContextAI

The vulnerability exists in HarmonyOS's thermal management subsystem, which is responsible for monitoring and regulating device temperature through CPU frequency scaling, fan control, and thermal throttling. Race conditions (CWE-362) occur when multiple execution threads or processes access shared thermal state variables without proper synchronization mechanisms, creating a time-of-check-to-time-of-use (TOCTOU) window. An attacker exploiting this window can read sensitive thermal sensor data or bypass thermal limits before mitigation is applied, potentially exposing device operational state information and enabling manipulation of thermal policies that protect hardware integrity.

RemediationAI

Apply the security update released by Huawei as described in the official security bulletins at https://consumer.huawei.com/en/support/bulletin/2026/4/ (for general HarmonyOS devices) and https://consumer.huawei.com/en/support/bulletinwearables/2026/4/ (for wearable devices). Specific patch version numbers are not independently confirmed in available data; users should follow Huawei's staged rollout schedule and device-specific update instructions. As an interim mitigation, restrict administrative access to trusted accounts only and monitor thermal management logs for anomalous concurrent access patterns, though no complete workaround exists for the race condition itself.

Share

CVE-2026-34861 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy