Skip to main content

Huawei HarmonyOS CVE-2026-41980

| EUVDEUVD-2026-35341 MEDIUM
Information Exposure (CWE-200)
2026-06-09 huawei GHSA-2pp9-mf4r-4wpf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 05:19 vuln.today

DescriptionCVE.org

Permission control vulnerability in the file preview module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

AnalysisAI

Insufficient permission enforcement in the HarmonyOS file preview module allows a local, unprivileged attacker to access sensitive file contents without authorization. Affecting Huawei HarmonyOS (all versions per CPE wildcard), the flaw is classified as CWE-200 and carries a CVSS 5.5 Medium score, with high confidentiality impact but no integrity or availability exposure. No public exploit identified at time of analysis, and Huawei disclosed this vulnerability via its June 2026 security bulletin.

Technical ContextAI

The affected component is the file preview module within Huawei HarmonyOS (CPE: cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*). CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) indicates the root cause is a failure to properly enforce access control checks before rendering or displaying file content during a preview operation. The CVSS vector AV:L/AC:L/PR:N/UI:R reflects that exploitation is constrained to local access with required user interaction, suggesting the preview module does not adequately validate the calling process's permissions against the target file's access controls - a classic permission control bypass in a sandboxed or OS-level file handling subsystem.

RemediationAI

Apply the security updates detailed in Huawei's June 2026 security bulletins for the relevant device category - consumer devices at https://consumer.huawei.com/en/support/bulletin/2026/6/, vision products at https://consumer.huawei.com/en/support/bulletinvision/2026/6/, and laptops at https://consumer.huawei.com/en/support/bulletinlaptops/2026/6/. The exact patched HarmonyOS version is not independently confirmed from the available CPE or reference data - consult the bulletin directly to identify the target firmware version for your device. As a compensating control prior to patching, restricting untrusted third-party application installation on affected HarmonyOS devices reduces the risk of a malicious co-resident app triggering the preview module against protected files. Note this does not fully mitigate the flaw if a rogue local user is the threat actor.

Share

CVE-2026-41980 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy