Skip to main content

HarmonyOS CVE-2026-41964

| EUVDEUVD-2026-30523 HIGH
Race Condition (CWE-362)
2026-05-15 huawei GHSA-9wgr-ww7c-cg24
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 15, 2026 - 10:30 vuln.today
CVE Published
May 15, 2026 - 09:00 nvd
HIGH 8.4

DescriptionCVE.org

Permission control vulnerability in the web. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Race condition in HarmonyOS web component enables local privilege escalation to full system compromise without authentication. The TOCTOU flaw (CWE-362) allows local attackers to achieve high confidentiality, integrity, and availability impact through unauthorized permission escalation. Huawei has released patches via May 2026 security bulletins for both mobile and laptop devices. EPSS data not yet available for this 2026 CVE; no confirmed active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability stems from a time-of-check-time-of-use (TOCTOU) race condition (CWE-362) in HarmonyOS's web component permission control mechanism. Race conditions occur when the security-critical state can change between validation and use, creating a window where attackers can manipulate resources or permissions. In permission control systems, TOCTOU flaws typically allow bypassing authorization checks by exploiting the timing gap between permission verification and action execution. The CPE string (cpe:2.3:a:huawei:harmonyos) indicates this affects HarmonyOS across multiple device types. The local attack vector (AV:L) with no required privileges (PR:N) suggests the flaw exists in a component accessible to unprivileged local processes or users, potentially in the web rendering engine's permission handling for device capabilities or file system access.

RemediationAI

Apply the security updates provided in Huawei's May 2026 security bulletins. Mobile device users should review https://consumer.huawei.com/en/support/bulletin/2026/5/ and laptop users should consult https://consumer.huawei.com/en/support/bulletinlaptops/2026/5/ for device-specific patch versions and installation instructions. Huawei typically delivers HarmonyOS security updates through the device Settings app under System & Updates. Until patches are applied, organizations should implement defense-in-depth controls: restrict installation of applications to trusted sources only (disable third-party app installations if feasible - note this limits device functionality), enforce mobile device management policies to monitor for suspicious local application behavior, and limit physical access to devices in shared or public environments. For enterprise deployments, consider isolating unpatched HarmonyOS devices from accessing sensitive network resources until updates are confirmed applied, though this may impact business operations. The local attack vector means network segmentation provides limited protection - priority must be on endpoint patching and application control.

Share

CVE-2026-41964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy