Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
4DescriptionCVE.org
Double free vulnerability in the multi-mode input system. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Double free vulnerability in Huawei HarmonyOS multi-mode input system allows local authenticated users with user interaction to cause information disclosure and denial of service. The vulnerability affects availability through memory corruption, with a CVSS score of 5.6 indicating moderate risk. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
This vulnerability exists in HarmonyOS's multi-mode input subsystem and is classified as CWE-415 (Double Free). Double free vulnerabilities occur when memory is deallocated twice, leading to heap corruption that can trigger denial of service or information disclosure. The attack requires local access and authenticated privileges, suggesting the input system processes untrusted data from local authenticated sessions. The multi-mode input system likely handles various input modes (keyboard, touch, voice, etc.) and improper reference counting or cleanup logic in this handler creates the double-free condition.
RemediationAI
Huawei users should immediately apply vendor-released security updates from the official Huawei consumer support bulletin at https://consumer.huawei.com/en/support/bulletin/2026/4/ for consumer devices or https://consumer.huawei.com/en/support/bulletinlaptops/2026/4/ for laptops. Exact patched versions are not specified in the provided advisory data; users must download patches directly from Huawei. Interim mitigations include restricting local access to HarmonyOS devices to trusted users and minimizing use of multi-mode input features until patches are applied. No workaround is specified in the available data.
Same weakness CWE-415 – Double Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21804
GHSA-84fx-xj3c-r25h