Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Permission control vulnerability in the app management and control module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
AnalysisAI
HarmonyOS app management and control module permits local privilege escalation through improper permission controls, allowing unauthenticated local attackers with user interaction to access confidential service data. CVSS 3.6 (low severity) reflects local-only attack vector and requirement for user interaction, though the privilege escalation nature means affected systems warrant review for deployment context.
Technical ContextAI
The vulnerability resides in HarmonyOS's app management and control subsystem, which enforces application permissions and access controls. The underlying issue is classified as CWE-264 (Use of a Broken or Risky Cryptographic Algorithm), though the description indicates a permission control flaw rather than cryptographic weakness-suggesting the CWE classification may reflect inadequate permission validation logic rather than algorithm misuse. The local attack vector (AV:L) combined with user interaction requirement (UI:R) indicates exploitation requires either local code execution context or social engineering to trigger the vulnerable code path. The cross-scope impact (S:C) means the vulnerability can affect resources beyond the vulnerable component's security scope.
RemediationAI
Apply the security patch released by Huawei as documented in their May 2026 security bulletin (https://consumer.huawei.com/en/support/bulletin/2026/5/). Specific patched version numbers are not confirmed in available data; consult Huawei's bulletin directly for your device model and firmware track. Interim mitigation: restrict app installation permissions to trusted sources and disable installation from unknown sources (if available in your HarmonyOS configuration). Monitor app permission requests and revoke unnecessary permissions granted to third-party apps, particularly those requesting access to sensitive services. These mitigations do not fix the underlying vulnerability but reduce the attack surface for privilege escalation.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30530
GHSA-r3m7-p557-4m6j