Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Permission control vulnerability in the web. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Race condition in HarmonyOS web component enables local privilege escalation to full system compromise without authentication. The TOCTOU flaw (CWE-362) allows local attackers to achieve high confidentiality, integrity, and availability impact through unauthorized permission escalation. Huawei has released patches via May 2026 security bulletins for both mobile and laptop devices. EPSS data not yet available for this 2026 CVE; no confirmed active exploitation or public POC identified at time of analysis.
Technical ContextAI
This vulnerability stems from a time-of-check-time-of-use (TOCTOU) race condition (CWE-362) in HarmonyOS's web component permission control mechanism. Race conditions occur when the security-critical state can change between validation and use, creating a window where attackers can manipulate resources or permissions. In permission control systems, TOCTOU flaws typically allow bypassing authorization checks by exploiting the timing gap between permission verification and action execution. The CPE string (cpe:2.3:a:huawei:harmonyos) indicates this affects HarmonyOS across multiple device types. The local attack vector (AV:L) with no required privileges (PR:N) suggests the flaw exists in a component accessible to unprivileged local processes or users, potentially in the web rendering engine's permission handling for device capabilities or file system access.
RemediationAI
Apply the security updates provided in Huawei's May 2026 security bulletins. Mobile device users should review https://consumer.huawei.com/en/support/bulletin/2026/5/ and laptop users should consult https://consumer.huawei.com/en/support/bulletinlaptops/2026/5/ for device-specific patch versions and installation instructions. Huawei typically delivers HarmonyOS security updates through the device Settings app under System & Updates. Until patches are applied, organizations should implement defense-in-depth controls: restrict installation of applications to trusted sources only (disable third-party app installations if feasible - note this limits device functionality), enforce mobile device management policies to monitor for suspicious local application behavior, and limit physical access to devices in shared or public environments. For enterprise deployments, consider isolating unpatched HarmonyOS devices from accessing sensitive network resources until updates are confirmed applied, though this may impact business operations. The local attack vector means network segmentation provides limited protection - priority must be on endpoint patching and application control.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30523
GHSA-9wgr-ww7c-cg24