Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Permission control vulnerability in the clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
AnalysisAI
Permission control vulnerability in the HarmonyOS clone module allows a local attacker to read confidential service data, with low confidentiality and availability impact. The flaw stems from improper permission enforcement (CWE-275) during clone operations and requires user interaction to trigger. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.
Technical ContextAI
HarmonyOS, Huawei's proprietary operating system (CPE: cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*), includes a clone module - a component that facilitates duplication of application data or application instances. The root cause class is CWE-275 (Permission Issues), indicating that access controls governing what the clone operation can read or expose are incorrectly implemented. Specifically, the clone module likely fails to validate or enforce appropriate permission boundaries when copying or accessing service data, allowing a process or user without sufficient authorization to read data that should be restricted. The Huawei laptop security bulletin reference (bulletinlaptops) suggests this affects HarmonyOS deployments on laptop or PC-class hardware rather than mobile devices exclusively.
RemediationAI
Consult the Huawei June 2026 laptop security bulletin at https://consumer.huawei.com/en/support/bulletinlaptops/2026/6/ for the specific patched HarmonyOS build version and apply the vendor-provided update as the primary remediation. An exact fixed version number is not independently confirmed from the available input data - the bulletin must be reviewed directly. As a compensating control pending patch application, restrict physical and remote access to affected devices to trusted users only, which addresses the local attack vector requirement. Additionally, user awareness around accepting or initiating unexpected clone operations can reduce the user interaction (UI:R) prerequisite for exploitation. No known trade-offs from the patch are documented in available data.
Same weakness CWE-275 – Permission Issues
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35323
GHSA-j23c-xwww-crv4