Skip to main content

HarmonyOS Browser CVE-2026-41983

| EUVDEUVD-2026-35355 MEDIUM
Resource Management Errors (CWE-399)
2026-06-09 huawei GHSA-767p-cppf-v3v3
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 08:00 vuln.today

DescriptionCVE.org

DoS vulnerability in the browser kernel. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Denial-of-service in the HarmonyOS browser kernel component allows a remote unauthenticated attacker to degrade availability on affected Huawei devices by luring a user into visiting a malicious page or interacting with crafted content. Exploitation requires user interaction (UI:R per CVSS), limiting opportunistic reach, but the network-accessible attack vector (AV:N) and low complexity (AC:L) make delivery straightforward once a user is socially engineered. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

The affected component is the browser kernel within Huawei HarmonyOS, the proprietary operating system deployed across Huawei smartphones, wearables, and laptops. CWE-399 (Resource Management Errors) identifies the root cause class - the browser kernel fails to properly manage a resource (memory, handles, or connections) under attacker-controlled input, leading to resource exhaustion or an unrecoverable error state. This class of flaw typically manifests as uncontrolled memory consumption, object reference mismanagement, or failure to release acquired resources, ultimately crashing or hanging the browser process. The CPE string cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:* covers all tracked versions of HarmonyOS without a bounded version range, suggesting Huawei has not yet published precise affected-version boundaries in machine-readable form.

RemediationAI

Apply the security updates published by Huawei in their June 2026 security bulletins for the applicable device class: smartphones at https://consumer.huawei.com/en/support/bulletin/2026/6/, wearables at https://consumer.huawei.com/en/support/bulletinwearables/2026/6/, and laptops at https://consumer.huawei.com/en/support/bulletinlaptops/2026/6/. An exact patched build version is not independently confirmed from the available data - consult the bulletin directly for the specific firmware or HarmonyOS version that addresses CVE-2026-41983. As an interim compensating control, users can avoid navigating to untrusted or unverified web content in the HarmonyOS native browser, or switch to an alternative browser application until the patch is applied; this trades browsing convenience for a meaningful reduction in attack surface given the UI:R exploitation requirement.

Share

CVE-2026-41983 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy