Skip to main content

HarmonyOS CVE-2026-41975

| EUVDEUVD-2026-35319 MEDIUM
Weaknesses Introduced During Design (CWE-701)
2026-06-09 huawei GHSA-hqmj-jwmx-chfc
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 05:20 vuln.today

DescriptionCVE.org

Permission management vulnerability in the network management module. Impact: Successful exploitation of this vulnerability may affect service integrity.

AnalysisAI

Permission management bypass in HarmonyOS's network management module allows a locally present, low-privileged attacker - with user interaction - to read sensitive network data (C:H) and disrupt service availability (A:H) under high-complexity conditions. The CVSS 6.3 Medium score reflects meaningful impact tempered by stringent prerequisites: local access, an authenticated account, required victim interaction, and high attack complexity. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the confidentiality and availability impacts warrant patching per Huawei's June 2026 security bulletin.

Technical ContextAI

HarmonyOS (Huawei's proprietary operating system, CPE: cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*) contains a permission management flaw in its network management module. The assigned CWE-701 ('Weaknesses Introduced During Design') is an abstract category-level classification rather than a specific weakness type, which limits root-cause precision; it broadly signals that the flaw originates in architectural permission-handling decisions rather than implementation bugs. Combined with the 'Information Disclosure' tag and the CVSS vector's High confidentiality impact (C:H), the flaw likely allows an attacker to bypass access controls enforced on network-related resources or settings, enabling unauthorized reads of sensitive network configuration or state data and potentially disrupting service availability (A:H).

RemediationAI

Apply the fixes described in Huawei's June 2026 monthly security bulletin, available at https://consumer.huawei.com/en/support/bulletin/2026/6/ (consumer devices) and https://consumer.huawei.com/en/support/bulletinlaptops/2026/6/ (Huawei laptops running HarmonyOS). No exact patched version number is independently confirmed from the available data - consult the bulletin for the specific build or release that addresses CVE-2026-41975. As a compensating control pending patch application, restrict third-party app installations to trusted sources and audit which locally installed applications hold permissions in the network management scope. Removing or restricting apps with elevated network permissions reduces the available privilege set an attacker could leverage, though this may affect legitimate network management tools. The UI:R requirement also means user-awareness hygiene (avoiding untrusted prompts or interactions) provides marginal defensive value until patching is complete.

Share

CVE-2026-41975 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy