Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
AnalysisAI
Out-of-bounds write in Huawei HarmonyOS WEB module allows local attackers without privileges to cause integrity and availability impact through a classic buffer overflow condition. CVSS 5.1 (moderate) reflects local-only attack vector and limited scope, though the vulnerability affects a core web rendering component. No active exploitation or public proof-of-concept confirmed at time of analysis.
Technical ContextAI
The vulnerability resides in HarmonyOS's WEB module, likely involving web content rendering or parsing functions. CWE-120 (classic buffer overflow / improper handling of variable-length input without bounds checking) indicates memory safety failure in C/C++ code that processes attacker-controlled data without validating buffer boundaries. The WEB module handles HTTP/HTTPS content parsing, JavaScript execution, or DOM manipulation-typical vectors for buffer overflow when input validation is insufficient. CPE cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:* indicates all HarmonyOS versions are currently in scope pending vendor clarification of patched releases.
RemediationAI
Apply the security patch released by Huawei for HarmonyOS WEB module vulnerability as documented in the official advisory at https://consumer.huawei.com/en/support/bulletinwearables/2026/4/. Check Huawei's security bulletin for the specific patched HarmonyOS version number for your device model. If patch availability is delayed, restrict local shell access and limit application permissions that could trigger WEB module parsing of untrusted content; however, patching remains the definitive remediation. Update HarmonyOS to the latest available firmware release for your device.
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21879
GHSA-xvjp-783h-vvhp