Skip to main content

CVE-2026-34865

| EUVDEUVD-2026-21877 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-04-13 huawei GHSA-f3fr-gvgx-x9gh
10.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 19:37 vuln.today
cvss_changed
Analysis Generated
Apr 13, 2026 - 07:29 vuln.today
CVSS changed
Apr 13, 2026 - 07:22 NVD
10.0 (CRITICAL)
EUVD ID Assigned
Apr 13, 2026 - 07:15 euvd
EUVD-2026-21877
Analysis Generated
Apr 13, 2026 - 07:15 vuln.today
CVE Published
Apr 13, 2026 - 06:02 nvd
CRITICAL 10.0

DescriptionCVE.org

Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

AnalysisAI

Out-of-bounds heap write in Huawei HarmonyOS WEB module allows unauthenticated remote attackers to execute arbitrary code and exfiltrate sensitive data with no user interaction required. CVSS v4.0 score of 10.0 (Critical) reflects network-based exploitation with low complexity requiring no privileges or user interaction. No public exploit identified at time of analysis. The vulnerability achieves complete compromise of confidentiality, integrity, and availability across both vulnerable and subsequent system scopes.

Technical ContextAI

This vulnerability is rooted in CWE-122 (heap-based buffer overflow) affecting the WEB module within Huawei's HarmonyOS platform (CPE: cpe:2.3:a:huawei:harmonyos). The WEB module likely handles browser rendering, WebView components, or web content processing. A heap-based buffer overflow occurs when the application writes data beyond allocated heap memory boundaries, typically due to insufficient bounds checking during memory operations. In modern web rendering engines, such flaws often arise in parsing HTML/CSS/JavaScript, processing media codecs, or handling network protocol data. The heap corruption can be leveraged to overwrite function pointers, vtables, or other control structures to redirect program execution. Given the cross-scope impact indicated in the CVSS vector (SC:H/SI:H/SA:H), successful exploitation allows the attacker to break out of the WEB module's sandbox and compromise other system components or data partitions.

RemediationAI

Apply security updates as detailed in Huawei's official security bulletin for wearables available at https://consumer.huawei.com/en/support/bulletinwearables/2026/4/. The vendor advisory should specify patched firmware versions for affected HarmonyOS devices. Users of HarmonyOS-based wearables and IoT devices should immediately check for available system updates through device settings or Huawei's support channels and apply patches as soon as released. Until patching is complete, consider restricting network exposure of affected devices, disabling unnecessary web-based features if possible, and monitoring for suspicious network activity. Organizations deploying HarmonyOS devices should prioritize patch deployment given the network-based attack vector and lack of authentication requirements.

Share

CVE-2026-34865 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy