Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Out-of-bounds write vulnerability in the file system. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Out-of-bounds write in HarmonyOS file system allows local privileged attackers to corrupt memory with high impact on confidentiality, integrity, and availability. The vulnerability affects HarmonyOS across versions and requires high-level local system privileges to exploit, making it a critical concern for multi-user systems and containerized deployments where privilege escalation vectors exist.
Technical ContextAI
The vulnerability is a classic out-of-bounds write (CWE-787) in memory management within HarmonyOS's file system implementation. This class of memory corruption defect occurs when code writes data beyond the intended boundaries of a buffer, potentially overwriting adjacent heap or stack memory. The affected product is HarmonyOS (CPE: cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*), indicating all versions are potentially impacted. File system components typically handle I/O operations at the kernel or privileged user-space level, and an out-of-bounds write in this context can cascade into arbitrary memory corruption, potentially enabling code execution or system denial of service.
RemediationAI
Huawei has published a security bulletin at https://consumer.huawei.com/en/support/bulletin/2026/4/ detailing remediation steps and patch availability. Users should consult that bulletin to identify the specific patched version applicable to their HarmonyOS release and apply updates immediately. In the interim, restrict local system access to trusted administrators and implement least-privilege account policies to reduce the likelihood of a high-privilege user exploiting this vulnerability. Monitor file system operations and system memory corruption events via available HarmonyOS security logging.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21844
GHSA-m263-6xmg-c437