Skip to main content

CVE-2026-34866

| EUVDEUVD-2026-21879 MEDIUM
Classic Buffer Overflow (CWE-120)
2026-04-13 huawei GHSA-xvjp-783h-vvhp
5.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 13, 2026 - 07:29 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 07:15 euvd
EUVD-2026-21879
Analysis Generated
Apr 13, 2026 - 07:15 vuln.today
CVE Published
Apr 13, 2026 - 06:03 nvd
MEDIUM 5.1

DescriptionCVE.org

Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

AnalysisAI

Out-of-bounds write in Huawei HarmonyOS WEB module allows local attackers without privileges to cause integrity and availability impact through a classic buffer overflow condition. CVSS 5.1 (moderate) reflects local-only attack vector and limited scope, though the vulnerability affects a core web rendering component. No active exploitation or public proof-of-concept confirmed at time of analysis.

Technical ContextAI

The vulnerability resides in HarmonyOS's WEB module, likely involving web content rendering or parsing functions. CWE-120 (classic buffer overflow / improper handling of variable-length input without bounds checking) indicates memory safety failure in C/C++ code that processes attacker-controlled data without validating buffer boundaries. The WEB module handles HTTP/HTTPS content parsing, JavaScript execution, or DOM manipulation-typical vectors for buffer overflow when input validation is insufficient. CPE cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:* indicates all HarmonyOS versions are currently in scope pending vendor clarification of patched releases.

RemediationAI

Apply the security patch released by Huawei for HarmonyOS WEB module vulnerability as documented in the official advisory at https://consumer.huawei.com/en/support/bulletinwearables/2026/4/. Check Huawei's security bulletin for the specific patched HarmonyOS version number for your device model. If patch availability is delayed, restrict local shell access and limit application permissions that could trigger WEB module parsing of untrusted content; however, patching remains the definitive remediation. Update HarmonyOS to the latest available firmware release for your device.

Share

CVE-2026-34866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy