Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Permission control vulnerability in the manufacturability design module. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
HarmonyOS manufacturability design module contains a permission control vulnerability (CWE-840) that allows local attackers without privileges to read sensitive information and modify system state on affected devices. The vulnerability has a CVSS score of 5.9 with local attack vector and low complexity, affecting confidentiality, integrity, and availability. Patch status and active exploitation status are not confirmed from available vendor advisory data.
Technical ContextAI
The vulnerability exists in HarmonyOS's manufacturability design module, a component likely used during device manufacturing, testing, or diagnostic operations. CWE-840 (Use of Inadequately Validated Form Data) indicates that the module fails to properly validate or enforce permission controls on sensitive operations or data access. The local attack vector (AV:L) and no-privilege requirement (PR:N) suggest an unprivileged local user or process on the device can bypass intended access controls through the manufacturability interface. This may involve direct system calls, file system access, or inter-process communication mechanisms that should be restricted but lack proper permission validation.
RemediationAI
Check the Huawei HarmonyOS security bulletin at https://consumer.huawei.com/en/support/bulletin/2026/5/ for device-specific patch availability and upgrade instructions. If a patched HarmonyOS version is available for your device model, apply it immediately. As compensating controls pending patch availability: restrict installation of untrusted applications from non-official app stores to limit local code execution that could trigger this vulnerability; if the device supports developer mode or factory reset modes that expose the manufacturability module, disable these features in production deployments; monitor system logs for unusual access patterns to system diagnostics or manufacturing-related interfaces. Note that these controls do not eliminate the vulnerability and should be temporary measures pending patch deployment.
Same weakness CWE-840 – Business Logic Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30533
GHSA-mmcj-637g-3xw4