Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
UAF vulnerability in the package management module. Impact: Successful exploitation of this vulnerability may affect service integrity.
AnalysisAI
Use-after-free in the HarmonyOS package management module allows a locally authenticated, highly privileged attacker to corrupt memory and primarily impact service availability. The CVSS vector (AV:L/AC:H/PR:H) constrains the attack to local, high-complexity scenarios requiring administrative privileges, yielding a medium-severity score of 5.2. No public exploit code or CISA KEV listing has been identified at time of analysis, though the Authentication Bypass tag in the intelligence data warrants scrutiny given the high-privilege prerequisite implied by CVSS.
Technical ContextAI
The vulnerability resides in the package management module of Huawei HarmonyOS (CPE: cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*), covering all tracked versions of the OS across consumer devices, wearables, and laptops per the three advisory bulletins (June 2026). The root cause is described as a use-after-free (UAF) - a memory safety defect where freed heap objects are accessed after deallocation - which is characteristic of CWE-416, not the assigned CWE-284 (Improper Access Control). This discrepancy is notable: the 'Authentication Bypass' tag and CWE-284 assignment suggest the advisory may be grouping an access-control bypass pathway alongside the UAF primitive, or CWE assignment reflects a secondary access-control weakness exploitable via the UAF. The Huawei security bulletin covers the full HarmonyOS product line including wearables and laptop form factors, indicating the package management subsystem is shared across device categories.
RemediationAI
Apply the patches detailed in the Huawei June 2026 security bulletins - consult https://consumer.huawei.com/en/support/bulletin/2026/6/ for smartphones, https://consumer.huawei.com/en/support/bulletinwearables/2026/6/ for wearables, and https://consumer.huawei.com/en/support/bulletinlaptops/2026/6/ for laptops. An exact patched version number was not provided in the available intelligence data; patch version confirmation requires reviewing the full advisory text. Because the attack requires local, high-privilege access (PR:H, AV:L), compensating controls should focus on tightening local access: restrict administrative and system-level account access to only necessary personnel, enforce least-privilege principles on accounts that interact with the package management subsystem, and audit local privilege escalation paths. These controls reduce the pool of potential attackers but do not eliminate the underlying memory-safety defect.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35356
GHSA-rxxg-m45j-3x69