Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Permission control vulnerability in calls. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Permission control bypass in Huawei HarmonyOS and EMUI's call-handling subsystem allows a locally present, unprivileged attacker to circumvent intended access restrictions, resulting in low-level impacts to confidentiality, integrity, and availability. The vulnerability stems from improper business logic governing permission enforcement (CWE-840), meaning the system fails to correctly validate whether a calling entity holds the required permissions before servicing a request. No public exploit code exists and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities catalog, but the low attack complexity and absence of privilege requirements lower the bar for local abuse.
Technical ContextAI
HarmonyOS and EMUI are Huawei's mobile/IoT operating system platforms. The affected component is the call-handling layer - likely inter-process communication (IPC), system API dispatch, or a similar call-routing mechanism - where permission checks are performed before servicing requests from applications or system components. CWE-840 (Business Logic Errors) indicates the flaw is not a classic memory-safety or injection issue but rather an incorrect or missing enforcement step in the permission validation flow: the logic controlling who is allowed to invoke certain calls contains a logical gap. The CVSS vector AV:L/AC:L/PR:N/UI:N confirms exploitation is strictly local (e.g., a malicious installed application), requires no special privileges, and needs no victim interaction. CPE strings cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:* and cpe:2.3:a:huawei:emui:*:*:*:*:*:*:*:* cover all tracked versions of both platforms, with exact affected version ranges not narrowed in available CPE data.
RemediationAI
The primary remediation is to apply the Huawei-issued patch referenced in the June 2026 Security Bulletin at https://consumer.huawei.com/en/support/bulletin/2026/6/. Users should update their HarmonyOS or EMUI devices to the patched build version specified in that bulletin - the exact fixed version is not independently confirmable from current input data and must be verified there. Since the attack vector is local and requires a malicious app to be present on the device, a meaningful compensating control in the absence of patching is to restrict application installation to the official Huawei AppGallery and disable sideloading (unknown sources). This limits the attacker's ability to deploy a weaponized app, though it does not address the underlying permission logic flaw. Enterprise MDM policies enforcing app allowlists on managed HarmonyOS/EMUI devices provide an additional layer of containment with the trade-off of reduced user flexibility.
Permission verification vulnerability in the wpa_supplicant module Impact: Successful exploitation of this vulnerability
Permission management vulnerability in the PMS module. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Vulnerability of access permissions not being strictly verified in the APPWidget module.Successful exploitation of this
Vulnerability of permissions not being strictly verified in the window management module.Successful exploitation of this
API permission management vulnerability in the Fwk-Display module.Successful exploitation of this vulnerability may caus
Vulnerability of defects introduced in the design process in the HiviewTunner module. Rated critical severity (CVSS 9.8)
Vulnerability of out-of-bounds parameter read/write in the Wi-Fi module. Rated critical severity (CVSS 9.8), this vulner
Vulnerability of commands from the modem being intercepted in the atcmdserver module. Rated critical severity (CVSS 9.8)
Improper permission control vulnerability in the Notepad app.Successful exploitation of the vulnerability may lead to pr
Some smartphones have configuration issues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab
Some smartphones have the out-of-bounds write vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is r
Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause syst
Same weakness CWE-840 – Business Logic Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35360
GHSA-595m-hf52-xp2j