Skip to main content

Huawei HarmonyOS CVE-2026-41970

| EUVDEUVD-2026-30534 MEDIUM
Out-of-bounds Write (CWE-787)
2026-05-15 huawei GHSA-37mq-vvr9-ppr8
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 15, 2026 - 10:31 vuln.today
CVE Published
May 15, 2026 - 09:33 nvd
MEDIUM 6.8

DescriptionCVE.org

Out-of-bounds write vulnerability in the distributed file system module. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Out-of-bounds write in Huawei HarmonyOS and EMUI distributed file system module allows authenticated local attackers to corrupt memory, potentially affecting system availability and integrity. CVSS 6.8 reflects adjacent network access requirement and low attack complexity, but exploitation requires prior authentication and local network presence. No public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

The vulnerability exists in the distributed file system (DFS) module, a core component responsible for managing file operations across networked nodes in HarmonyOS and EMUI ecosystems. The underlying flaw is CWE-787 (out-of-bounds write), a memory corruption vulnerability where the DFS module fails to properly validate buffer boundaries during write operations. This allows an authenticated user on an adjacent network to write data beyond allocated memory regions, corrupting heap or stack structures. The attack vector is adjacent network (AV:A), indicating the attacker must be on the same network segment as the target device, not remotely accessible via the internet.

RemediationAI

Consult Huawei security bulletins at https://consumer.huawei.com/en/support/bulletin/2026/5/ for HarmonyOS and https://consumer.huawei.com/en/support/bulletinwearables/2026/5/ for wearables/EMUI for patched versions and upgrade instructions. If patch is available, update to the recommended version immediately. As an interim compensating control, restrict network access to the affected device by disabling DFS module if not required for operations, or isolate the device to a trusted network segment where only authenticated devices have access. If DFS must remain enabled, implement network segmentation and strong authentication (disable default credentials, enforce strong passwords) to limit the pool of authenticated users who could exploit this vulnerability. Note: disabling DFS may impact file sharing and synchronization features across HarmonyOS devices.

More in Emui

View all
CVE-2024-32991 CRITICAL
9.8 May 14

Permission verification vulnerability in the wpa_supplicant module Impact: Successful exploitation of this vulnerability

CVE-2023-46773 CRITICAL
9.8 Dec 06

Permission management vulnerability in the PMS module. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2023-44116 CRITICAL
9.8 Oct 11

Vulnerability of access permissions not being strictly verified in the APPWidget module.Successful exploitation of this

CVE-2023-44105 CRITICAL
9.8 Oct 11

Vulnerability of permissions not being strictly verified in the window management module.Successful exploitation of this

CVE-2023-44106 CRITICAL
9.8 Oct 11

API permission management vulnerability in the Fwk-Display module.Successful exploitation of this vulnerability may caus

CVE-2023-41297 CRITICAL
9.8 Sep 25

Vulnerability of defects introduced in the design process in the HiviewTunner module. Rated critical severity (CVSS 9.8)

CVE-2023-39405 CRITICAL
9.8 Aug 13

Vulnerability of out-of-bounds parameter read/write in the Wi-Fi module. Rated critical severity (CVSS 9.8), this vulner

CVE-2023-37242 CRITICAL
9.8 Jul 06

Vulnerability of commands from the modem being intercepted in the atcmdserver module. Rated critical severity (CVSS 9.8)

CVE-2023-34159 CRITICAL
9.8 Jun 19

Improper permission control vulnerability in the Notepad app.Successful exploitation of the vulnerability may lead to pr

CVE-2022-46327 CRITICAL
9.8 Dec 20

Some smartphones have configuration issues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab

CVE-2022-46326 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2022-46325 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause syst

Share

CVE-2026-41970 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy