Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Out-of-bounds write vulnerability in the IPC module. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Heap-based buffer overflow in the HarmonyOS IPC (Inter-Process Communication) module allows a local low-privileged attacker to impact confidentiality, integrity, and availability of the affected system. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) confirms exploitation requires local authenticated access with low complexity, limiting but not eliminating real-world risk on consumer and wearable Huawei devices. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Technical ContextAI
The vulnerability exists in the IPC module of Huawei HarmonyOS (CPE: cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*). IPC subsystems are responsible for inter-process message passing and shared resource coordination within the OS; flaws in this layer are particularly sensitive because IPC is a high-traffic, privileged communication boundary. CWE-122 (Heap-based Buffer Overflow) indicates that data written to a heap-allocated buffer exceeds its allocated bounds, potentially corrupting adjacent heap metadata or data structures. Depending on memory layout, this class of flaw can enable arbitrary code execution, privilege escalation, or denial of service - though the CVSS impact scores here are rated Low across all three CIA axes, suggesting the immediately exploitable impact is constrained. Tags confirm both a generic buffer overflow and a heap-specific overflow classification, consistent with CWE-122.
RemediationAI
Apply the updates described in Huawei's June 2026 consumer security bulletin (https://consumer.huawei.com/en/support/bulletin/2026/6/) and, for wearable devices, the corresponding wearables bulletin (https://consumer.huawei.com/en/support/bulletinwearables/2026/6/). Exact patched version numbers are not independently confirmed from the available data - consult the bulletin directly for device-specific update instructions. As a compensating control prior to patching, restrict local user account creation and limit the number of low-privilege accounts or third-party applications permitted on affected devices, since exploitation requires PR:L local access; this reduces the pool of potential local attackers but does not eliminate the vulnerability. No workaround that disables IPC is feasible without rendering the OS inoperable.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35364
GHSA-68xf-fx4h-9h5m