Skip to main content

HarmonyOS CVE-2026-41978

| EUVDEUVD-2026-35323 MEDIUM
Permission Issues (CWE-275)
2026-06-09 huawei GHSA-j23c-xwww-crv4
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 05:19 vuln.today

DescriptionCVE.org

Permission control vulnerability in the clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

AnalysisAI

Permission control vulnerability in the HarmonyOS clone module allows a local attacker to read confidential service data, with low confidentiality and availability impact. The flaw stems from improper permission enforcement (CWE-275) during clone operations and requires user interaction to trigger. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.

Technical ContextAI

HarmonyOS, Huawei's proprietary operating system (CPE: cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*), includes a clone module - a component that facilitates duplication of application data or application instances. The root cause class is CWE-275 (Permission Issues), indicating that access controls governing what the clone operation can read or expose are incorrectly implemented. Specifically, the clone module likely fails to validate or enforce appropriate permission boundaries when copying or accessing service data, allowing a process or user without sufficient authorization to read data that should be restricted. The Huawei laptop security bulletin reference (bulletinlaptops) suggests this affects HarmonyOS deployments on laptop or PC-class hardware rather than mobile devices exclusively.

RemediationAI

Consult the Huawei June 2026 laptop security bulletin at https://consumer.huawei.com/en/support/bulletinlaptops/2026/6/ for the specific patched HarmonyOS build version and apply the vendor-provided update as the primary remediation. An exact fixed version number is not independently confirmed from the available input data - the bulletin must be reviewed directly. As a compensating control pending patch application, restrict physical and remote access to affected devices to trusted users only, which addresses the local attack vector requirement. Additionally, user awareness around accepting or initiating unexpected clone operations can reduce the user interaction (UI:R) prerequisite for exploitation. No known trade-offs from the patch are documented in available data.

Share

CVE-2026-41978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy