Skip to main content

HarmonyOS CVE-2026-41967

| EUVDEUVD-2026-30533 MEDIUM
Business Logic Errors (CWE-840)
2026-05-15 huawei GHSA-mmcj-637g-3xw4
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 15, 2026 - 10:31 vuln.today
CVE Published
May 15, 2026 - 09:27 nvd
MEDIUM 5.9

DescriptionCVE.org

Permission control vulnerability in the manufacturability design module. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

HarmonyOS manufacturability design module contains a permission control vulnerability (CWE-840) that allows local attackers without privileges to read sensitive information and modify system state on affected devices. The vulnerability has a CVSS score of 5.9 with local attack vector and low complexity, affecting confidentiality, integrity, and availability. Patch status and active exploitation status are not confirmed from available vendor advisory data.

Technical ContextAI

The vulnerability exists in HarmonyOS's manufacturability design module, a component likely used during device manufacturing, testing, or diagnostic operations. CWE-840 (Use of Inadequately Validated Form Data) indicates that the module fails to properly validate or enforce permission controls on sensitive operations or data access. The local attack vector (AV:L) and no-privilege requirement (PR:N) suggest an unprivileged local user or process on the device can bypass intended access controls through the manufacturability interface. This may involve direct system calls, file system access, or inter-process communication mechanisms that should be restricted but lack proper permission validation.

RemediationAI

Check the Huawei HarmonyOS security bulletin at https://consumer.huawei.com/en/support/bulletin/2026/5/ for device-specific patch availability and upgrade instructions. If a patched HarmonyOS version is available for your device model, apply it immediately. As compensating controls pending patch availability: restrict installation of untrusted applications from non-official app stores to limit local code execution that could trigger this vulnerability; if the device supports developer mode or factory reset modes that expose the manufacturability module, disable these features in production deployments; monitor system logs for unusual access patterns to system diagnostics or manufacturing-related interfaces. Note that these controls do not eliminate the vulnerability and should be temporary measures pending patch deployment.

Share

CVE-2026-41967 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy