Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Race condition vulnerability in the power consumption statistics module. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Race condition in Huawei HarmonyOS power consumption statistics module allows local privileged users to disclose information and modify system integrity, potentially affecting service availability. The vulnerability requires high privilege level and local access but enables information disclosure combined with integrity and availability impact. CVSS 6.3 reflects moderate real-world risk given the privilege requirement; Huawei has issued security advisories indicating patch availability.
Technical ContextAI
The vulnerability exists in the power consumption statistics module of Huawei HarmonyOS (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization). Race conditions occur when multiple threads or processes access shared resources without proper synchronization mechanisms, allowing one actor to view or modify data intended for exclusive access. In this case, the statistics module-likely responsible for collecting and managing power usage telemetry-fails to properly synchronize access to its shared data structures. A local attacker with high privilege (PR:H per CVSS) can exploit the timing window between resource reads and writes to leak information (Confidentiality impact: Low) and corrupt module state (Integrity impact: High, Availability impact: High). The low attack complexity (AC:L) indicates the race condition can be triggered reliably without special conditions.
RemediationAI
Refer to Huawei's official security bulletins at https://consumer.huawei.com/en/support/bulletin/2026/4/ for consumer devices and https://consumer.huawei.com/en/support/bulletinwearables/2026/4/ for wearables to identify your device model and obtain the patched HarmonyOS version. Apply the available security update as indicated in those advisories. Until patching is possible, restrict high-privilege administrative access on HarmonyOS devices to trusted users only, and monitor logs for unusual activity in the power consumption statistics module. Patch availability is confirmed via vendor advisory; exact fix version numbers should be obtained directly from Huawei's bulletins.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21842
GHSA-jfmc-cqjc-6j2h