Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Race condition vulnerability in the IPC module. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Use-after-free memory corruption in Huawei HarmonyOS's IPC (Inter-Process Communication) module allows a network-adjacent, low-privilege authenticated attacker to exploit a race condition leading primarily to high-confidence information disclosure with secondary integrity and availability impacts. The CVSS vector (AV:N/AC:H/PR:L/UI:N) confirms remote reachability but demands precise race-condition timing and an authenticated session, materially constraining opportunistic exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis, and Huawei has issued a June 2026 security bulletin addressing the issue.
Technical ContextAI
HarmonyOS is Huawei's proprietary operating system spanning smartphones, tablets, and wearable devices. The vulnerable component is the IPC module - the subsystem that manages inter-process communication and cross-process data exchange within the OS boundary. CWE-416 (Use-After-Free) identifies the root cause class: a race condition in concurrent IPC operations allows a memory object to be freed while a reference to it still exists; a subsequent dereference of that stale pointer produces memory corruption. This pattern is particularly consequential in IPC subsystems because they operate across process privilege boundaries, meaning a freed object may contain sensitive cross-process data. The CPE string cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:* covers all HarmonyOS versions with no version range constraint, and Huawei's bulletins address both consumer devices and wearables separately, indicating broad platform scope. The tags (Use After Free, Memory Corruption, Information Disclosure) are consistent with the CVSS confidentiality impact of High.
RemediationAI
Apply the patches described in Huawei's June 2026 security bulletins: consumer device owners should consult https://consumer.huawei.com/en/support/bulletin/2026/6/ and wearable device owners should consult https://consumer.huawei.com/en/support/bulletinwearables/2026/6/. The exact patched HarmonyOS version number is not independently confirmed from available input data - patch version should be verified directly against the advisory before deployment. As a compensating control while patching is in progress, isolating affected HarmonyOS devices from untrusted or shared network segments reduces the AV:N exposure surface; note this may impair device connectivity and cloud-dependent features. Restricting low-privilege account access on devices (e.g., disabling developer mode or limiting third-party app IPC permissions) addresses the PR:L prerequisite but may break legitimate application functionality. Given AC:H, automated mass exploitation is unlikely, so prioritization can be tiered - internet-exposed or enterprise-managed HarmonyOS deployments should patch first.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35365
GHSA-cvv8-m2f8-fr4m