Skip to main content

HarmonyOS CVE-2026-41984

| EUVDEUVD-2026-35356 MEDIUM
Improper Access Control (CWE-284)
2026-06-09 huawei GHSA-rxxg-m45j-3x69
5.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.2 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 08:01 vuln.today

DescriptionCVE.org

UAF vulnerability in the package management module. Impact: Successful exploitation of this vulnerability may affect service integrity.

AnalysisAI

Use-after-free in the HarmonyOS package management module allows a locally authenticated, highly privileged attacker to corrupt memory and primarily impact service availability. The CVSS vector (AV:L/AC:H/PR:H) constrains the attack to local, high-complexity scenarios requiring administrative privileges, yielding a medium-severity score of 5.2. No public exploit code or CISA KEV listing has been identified at time of analysis, though the Authentication Bypass tag in the intelligence data warrants scrutiny given the high-privilege prerequisite implied by CVSS.

Technical ContextAI

The vulnerability resides in the package management module of Huawei HarmonyOS (CPE: cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*), covering all tracked versions of the OS across consumer devices, wearables, and laptops per the three advisory bulletins (June 2026). The root cause is described as a use-after-free (UAF) - a memory safety defect where freed heap objects are accessed after deallocation - which is characteristic of CWE-416, not the assigned CWE-284 (Improper Access Control). This discrepancy is notable: the 'Authentication Bypass' tag and CWE-284 assignment suggest the advisory may be grouping an access-control bypass pathway alongside the UAF primitive, or CWE assignment reflects a secondary access-control weakness exploitable via the UAF. The Huawei security bulletin covers the full HarmonyOS product line including wearables and laptop form factors, indicating the package management subsystem is shared across device categories.

RemediationAI

Apply the patches detailed in the Huawei June 2026 security bulletins - consult https://consumer.huawei.com/en/support/bulletin/2026/6/ for smartphones, https://consumer.huawei.com/en/support/bulletinwearables/2026/6/ for wearables, and https://consumer.huawei.com/en/support/bulletinlaptops/2026/6/ for laptops. An exact patched version number was not provided in the available intelligence data; patch version confirmation requires reviewing the full advisory text. Because the attack requires local, high-privilege access (PR:H, AV:L), compensating controls should focus on tightening local access: restrict administrative and system-level account access to only necessary personnel, enforce least-privilege principles on accounts that interact with the package management subsystem, and audit local privilege escalation paths. These controls reduce the pool of potential attackers but do not eliminate the underlying memory-safety defect.

Share

CVE-2026-41984 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy