Skip to main content

Huawei HarmonyOS CVE-2026-41963

| EUVDEUVD-2026-30525 LOW
Stack-based Buffer Overflow (CWE-121)
2026-05-15 huawei GHSA-mrjv-j4g7-xx5r
2.8
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.8 LOW
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 15, 2026 - 10:30 vuln.today
CVE Published
May 15, 2026 - 09:03 nvd
LOW 2.8

DescriptionCVE.org

Stack overflow vulnerability in the media platform. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Stack overflow in Huawei HarmonyOS media platform allows local authenticated users to cause denial of service through a crafted media file that triggers stack memory exhaustion. The vulnerability requires user interaction and authenticated access (CVSS PR:L), limiting its real-world severity despite affecting availability. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The vulnerability is a classic stack overflow (CWE-121) in the media platform component of HarmonyOS, triggered during media processing. Stack overflows occur when an application writes more data to a stack-allocated buffer than it can hold, corrupting the stack and potentially enabling code execution or denial of service. In this case, the vulnerability manifests as an availability impact only, suggesting the overflow corrupts local stack frames without achieving arbitrary code execution. The attack vector is local with low complexity, meaning the attacker must have local system access and trigger the vulnerability through a user interaction with a malicious media file on an affected HarmonyOS device.

RemediationAI

Apply the latest HarmonyOS security patch released by Huawei in May 2026 or later. Users should check the product-specific security bulletins (phones, tablets, vision, wearables, laptops) at the Huawei consumer support portal to identify their device category and download the appropriate patch. As a compensating control pending patching, restrict the opening of media files from untrusted sources - disable auto-play of media in applications and require explicit user confirmation before opening files from emails or web downloads. This reduces the likelihood of accidental trigger of the media processing code. No workaround completely eliminates the vulnerability without patch application.

Share

CVE-2026-41963 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy