Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
Out-of-bounds write vulnerability in the distributed file system module. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Out-of-bounds write in Huawei HarmonyOS and EMUI distributed file system module allows authenticated local attackers to corrupt memory, potentially affecting system availability and integrity. CVSS 6.8 reflects adjacent network access requirement and low attack complexity, but exploitation requires prior authentication and local network presence. No public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
The vulnerability exists in the distributed file system (DFS) module, a core component responsible for managing file operations across networked nodes in HarmonyOS and EMUI ecosystems. The underlying flaw is CWE-787 (out-of-bounds write), a memory corruption vulnerability where the DFS module fails to properly validate buffer boundaries during write operations. This allows an authenticated user on an adjacent network to write data beyond allocated memory regions, corrupting heap or stack structures. The attack vector is adjacent network (AV:A), indicating the attacker must be on the same network segment as the target device, not remotely accessible via the internet.
RemediationAI
Consult Huawei security bulletins at https://consumer.huawei.com/en/support/bulletin/2026/5/ for HarmonyOS and https://consumer.huawei.com/en/support/bulletinwearables/2026/5/ for wearables/EMUI for patched versions and upgrade instructions. If patch is available, update to the recommended version immediately. As an interim compensating control, restrict network access to the affected device by disabling DFS module if not required for operations, or isolate the device to a trusted network segment where only authenticated devices have access. If DFS must remain enabled, implement network segmentation and strong authentication (disable default credentials, enforce strong passwords) to limit the pool of authenticated users who could exploit this vulnerability. Note: disabling DFS may impact file sharing and synchronization features across HarmonyOS devices.
Permission verification vulnerability in the wpa_supplicant module Impact: Successful exploitation of this vulnerability
Permission management vulnerability in the PMS module. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Vulnerability of access permissions not being strictly verified in the APPWidget module.Successful exploitation of this
Vulnerability of permissions not being strictly verified in the window management module.Successful exploitation of this
API permission management vulnerability in the Fwk-Display module.Successful exploitation of this vulnerability may caus
Vulnerability of defects introduced in the design process in the HiviewTunner module. Rated critical severity (CVSS 9.8)
Vulnerability of out-of-bounds parameter read/write in the Wi-Fi module. Rated critical severity (CVSS 9.8), this vulner
Vulnerability of commands from the modem being intercepted in the atcmdserver module. Rated critical severity (CVSS 9.8)
Improper permission control vulnerability in the Notepad app.Successful exploitation of the vulnerability may lead to pr
Some smartphones have configuration issues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab
Some smartphones have the out-of-bounds write vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is r
Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause syst
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30534
GHSA-37mq-vvr9-ppr8