Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Use-After-Free (UAF) vulnerability in the web. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Use-after-free vulnerability in Huawei HarmonyOS web components allows remote attackers to disclose sensitive information and cause limited integrity and availability impact. The vulnerability requires high attack complexity but can be triggered without authentication or user interaction over the network, affecting confidentiality, integrity, and availability with low severity (CVSS 5.6). No active exploitation has been publicly confirmed.
Technical ContextAI
The vulnerability is a use-after-free (UAF) memory corruption flaw classified under CWE-840 (Use of Incorrectly Resolved Name or Reference), occurring within web-related components of HarmonyOS. Use-after-free vulnerabilities arise when code attempts to access memory that has been deallocated, potentially allowing attackers to read sensitive data from freed memory regions or corrupt heap structures. The web component context suggests the flaw exists in browser, WebView, or HTML rendering subsystems. The high attack complexity (AC:H) indicates successful exploitation requires specific timing conditions, race conditions, or precise triggering of memory management edge cases that are not trivial to reproduce reliably.
RemediationAI
Apply the security update provided by Huawei through the official bulletins at https://consumer.huawei.com/en/support/bulletin/2026/5/ and https://consumer.huawei.com/en/support/bulletinlaptops/2026/5/. Specific patched version numbers are not available in provided data - consult the vendor bulletins for exact firmware versions to upgrade to. Until patching is possible, restrict network access to web components by disabling or sandboxing web browsing features if operationally feasible, though this provides only partial mitigation given the remote network vector. Implement network segmentation to limit exposure of affected HarmonyOS devices to untrusted networks.
Same weakness CWE-840 – Business Logic Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30526
GHSA-rmrw-m86p-jc3w