Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Permission control vulnerability in the manufacturability design module. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
A permission control vulnerability in HarmonyOS's manufacturability design module allows local attackers without privileges to read, modify, and degrade system availability through improper access controls. The vulnerability affects HarmonyOS across multiple versions and has a CVSS score of 5.9 (medium severity), with confirmed impacts on confidentiality, integrity, and availability despite the description emphasizing availability impact alone.
Technical ContextAI
The vulnerability exists in HarmonyOS's manufacturability design module, a component likely providing specialized design or manufacturing-related functionality. CWE-840 (Use of Insufficiently Random Values) suggests the root cause may involve weak or missing authorization checks in this module, allowing unauthorized users to interact with protected resources. The local attack vector (AV:L) indicates the attacker must have local system access but does not require elevated privileges (PR:N), meaning any local user can trigger the vulnerability. The vulnerability affects the HarmonyOS operating system across an unspecified version range, as indicated by the CPE cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*.
RemediationAI
Apply the security patch released by Huawei as specified in their security bulletin (https://consumer.huawei.com/en/support/bulletin/2026/5/). Exact patch version numbers are not specified in the available data; refer to the Huawei bulletin for the specific patched HarmonyOS version applicable to your device model. If immediate patching is not feasible, restrict local access to HarmonyOS devices through physical access controls and disable or restrict the manufacturability design module if it is non-essential for your deployment. Limit local user account creation to trusted personnel only and monitor system access logs for suspicious local activity. Note that restricting local access may impact device manufacturing, maintenance, or specialized design workflows if the manufacturability module is required for your use case.
Same weakness CWE-840 – Business Logic Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30532
GHSA-h8pp-98px-h583