Skip to main content

CVE-2026-34862

| EUVDEUVD-2026-21842 MEDIUM
Race Condition (CWE-362)
2026-04-13 huawei GHSA-jfmc-cqjc-6j2h
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 13, 2026 - 05:27 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 05:15 euvd
EUVD-2026-21842
Analysis Generated
Apr 13, 2026 - 05:15 vuln.today
CVE Published
Apr 13, 2026 - 04:09 nvd
MEDIUM 6.3

DescriptionCVE.org

Race condition vulnerability in the power consumption statistics module. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Race condition in Huawei HarmonyOS power consumption statistics module allows local privileged users to disclose information and modify system integrity, potentially affecting service availability. The vulnerability requires high privilege level and local access but enables information disclosure combined with integrity and availability impact. CVSS 6.3 reflects moderate real-world risk given the privilege requirement; Huawei has issued security advisories indicating patch availability.

Technical ContextAI

The vulnerability exists in the power consumption statistics module of Huawei HarmonyOS (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization). Race conditions occur when multiple threads or processes access shared resources without proper synchronization mechanisms, allowing one actor to view or modify data intended for exclusive access. In this case, the statistics module-likely responsible for collecting and managing power usage telemetry-fails to properly synchronize access to its shared data structures. A local attacker with high privilege (PR:H per CVSS) can exploit the timing window between resource reads and writes to leak information (Confidentiality impact: Low) and corrupt module state (Integrity impact: High, Availability impact: High). The low attack complexity (AC:L) indicates the race condition can be triggered reliably without special conditions.

RemediationAI

Refer to Huawei's official security bulletins at https://consumer.huawei.com/en/support/bulletin/2026/4/ for consumer devices and https://consumer.huawei.com/en/support/bulletinwearables/2026/4/ for wearables to identify your device model and obtain the patched HarmonyOS version. Apply the available security update as indicated in those advisories. Until patching is possible, restrict high-privilege administrative access on HarmonyOS devices to trusted users only, and monitor logs for unusual activity in the power consumption statistics module. Patch availability is confirmed via vendor advisory; exact fix version numbers should be obtained directly from Huawei's bulletins.

Share

CVE-2026-34862 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy