Skip to main content

HarmonyOS/EMUI CVE-2026-41973

| EUVDEUVD-2026-35360 MEDIUM
Business Logic Errors (CWE-840)
2026-06-09 huawei GHSA-595m-hf52-xp2j
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 08:03 vuln.today

DescriptionCVE.org

Permission control vulnerability in calls. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Permission control bypass in Huawei HarmonyOS and EMUI's call-handling subsystem allows a locally present, unprivileged attacker to circumvent intended access restrictions, resulting in low-level impacts to confidentiality, integrity, and availability. The vulnerability stems from improper business logic governing permission enforcement (CWE-840), meaning the system fails to correctly validate whether a calling entity holds the required permissions before servicing a request. No public exploit code exists and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities catalog, but the low attack complexity and absence of privilege requirements lower the bar for local abuse.

Technical ContextAI

HarmonyOS and EMUI are Huawei's mobile/IoT operating system platforms. The affected component is the call-handling layer - likely inter-process communication (IPC), system API dispatch, or a similar call-routing mechanism - where permission checks are performed before servicing requests from applications or system components. CWE-840 (Business Logic Errors) indicates the flaw is not a classic memory-safety or injection issue but rather an incorrect or missing enforcement step in the permission validation flow: the logic controlling who is allowed to invoke certain calls contains a logical gap. The CVSS vector AV:L/AC:L/PR:N/UI:N confirms exploitation is strictly local (e.g., a malicious installed application), requires no special privileges, and needs no victim interaction. CPE strings cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:* and cpe:2.3:a:huawei:emui:*:*:*:*:*:*:*:* cover all tracked versions of both platforms, with exact affected version ranges not narrowed in available CPE data.

RemediationAI

The primary remediation is to apply the Huawei-issued patch referenced in the June 2026 Security Bulletin at https://consumer.huawei.com/en/support/bulletin/2026/6/. Users should update their HarmonyOS or EMUI devices to the patched build version specified in that bulletin - the exact fixed version is not independently confirmable from current input data and must be verified there. Since the attack vector is local and requires a malicious app to be present on the device, a meaningful compensating control in the absence of patching is to restrict application installation to the official Huawei AppGallery and disable sideloading (unknown sources). This limits the attacker's ability to deploy a weaponized app, though it does not address the underlying permission logic flaw. Enterprise MDM policies enforcing app allowlists on managed HarmonyOS/EMUI devices provide an additional layer of containment with the trade-off of reduced user flexibility.

More in Emui

View all
CVE-2024-32991 CRITICAL
9.8 May 14

Permission verification vulnerability in the wpa_supplicant module Impact: Successful exploitation of this vulnerability

CVE-2023-46773 CRITICAL
9.8 Dec 06

Permission management vulnerability in the PMS module. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2023-44116 CRITICAL
9.8 Oct 11

Vulnerability of access permissions not being strictly verified in the APPWidget module.Successful exploitation of this

CVE-2023-44105 CRITICAL
9.8 Oct 11

Vulnerability of permissions not being strictly verified in the window management module.Successful exploitation of this

CVE-2023-44106 CRITICAL
9.8 Oct 11

API permission management vulnerability in the Fwk-Display module.Successful exploitation of this vulnerability may caus

CVE-2023-41297 CRITICAL
9.8 Sep 25

Vulnerability of defects introduced in the design process in the HiviewTunner module. Rated critical severity (CVSS 9.8)

CVE-2023-39405 CRITICAL
9.8 Aug 13

Vulnerability of out-of-bounds parameter read/write in the Wi-Fi module. Rated critical severity (CVSS 9.8), this vulner

CVE-2023-37242 CRITICAL
9.8 Jul 06

Vulnerability of commands from the modem being intercepted in the atcmdserver module. Rated critical severity (CVSS 9.8)

CVE-2023-34159 CRITICAL
9.8 Jun 19

Improper permission control vulnerability in the Notepad app.Successful exploitation of the vulnerability may lead to pr

CVE-2022-46327 CRITICAL
9.8 Dec 20

Some smartphones have configuration issues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab

CVE-2022-46326 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2022-46325 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause syst

Share

CVE-2026-41973 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy