Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
AnalysisAI
Out-of-bounds heap write in Huawei HarmonyOS WEB module allows unauthenticated remote attackers to execute arbitrary code and exfiltrate sensitive data with no user interaction required. CVSS v4.0 score of 10.0 (Critical) reflects network-based exploitation with low complexity requiring no privileges or user interaction. No public exploit identified at time of analysis. The vulnerability achieves complete compromise of confidentiality, integrity, and availability across both vulnerable and subsequent system scopes.
Technical ContextAI
This vulnerability is rooted in CWE-122 (heap-based buffer overflow) affecting the WEB module within Huawei's HarmonyOS platform (CPE: cpe:2.3:a:huawei:harmonyos). The WEB module likely handles browser rendering, WebView components, or web content processing. A heap-based buffer overflow occurs when the application writes data beyond allocated heap memory boundaries, typically due to insufficient bounds checking during memory operations. In modern web rendering engines, such flaws often arise in parsing HTML/CSS/JavaScript, processing media codecs, or handling network protocol data. The heap corruption can be leveraged to overwrite function pointers, vtables, or other control structures to redirect program execution. Given the cross-scope impact indicated in the CVSS vector (SC:H/SI:H/SA:H), successful exploitation allows the attacker to break out of the WEB module's sandbox and compromise other system components or data partitions.
RemediationAI
Apply security updates as detailed in Huawei's official security bulletin for wearables available at https://consumer.huawei.com/en/support/bulletinwearables/2026/4/. The vendor advisory should specify patched firmware versions for affected HarmonyOS devices. Users of HarmonyOS-based wearables and IoT devices should immediately check for available system updates through device settings or Huawei's support channels and apply patches as soon as released. Until patching is complete, consider restricting network exposure of affected devices, disabling unnecessary web-based features if possible, and monitoring for suspicious network activity. Organizations deploying HarmonyOS devices should prioritize patch deployment given the network-based attack vector and lack of authentication requirements.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21877
GHSA-f3fr-gvgx-x9gh