Severity by source
AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
UAF vulnerability in the package management module. Impact: Successful exploitation of this vulnerability may affect service integrity.
AnalysisAI
Use-After-Free (UAF) in the HarmonyOS package management module allows a local attacker with high privileges to compromise service integrity. Successful exploitation requires high attack complexity and user interaction, limiting real-world exposure. The primary impact is integrity degradation (I:H), with minor confidentiality and availability effects; no public exploit or CISA KEV listing identified at time of analysis.
Technical ContextAI
HarmonyOS (Huawei) is affected per CPE cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*, covering all tracked versions. The UAF class flaw (a freed memory region is accessed after deallocation) resides in the package management module. However, the assigned CWE is CWE-284 (Improper Access Control) rather than the canonical CWE-416 (Use After Free) - this discrepancy between the description text and the assigned weakness warrants verification with Huawei's advisory. UAF conditions in package managers typically arise during install/uninstall race conditions or during reference-counting errors in module lifecycle management. CWE-284 suggests the root cause may involve insufficient access control checks around the freed object, enabling privilege boundary bypass rather than a pure memory-corruption primitive.
RemediationAI
The primary remediation is to apply the updates detailed in the Huawei June 2026 security bulletins: https://consumer.huawei.com/en/support/bulletin/2026/6/ for mobile devices, https://consumer.huawei.com/en/support/bulletinwearables/2026/6/ for wearables, and https://consumer.huawei.com/en/support/bulletinlaptops/2026/6/ for laptops. An exact patched version number was not confirmed in the available intelligence - the precise fix version must be verified directly from the Huawei advisory pages before deployment. As compensating controls where patching is not immediately possible: restrict physical and shell access to devices to prevent local exploitation (the AV:L vector means remote exploitation is not possible); enforce least-privilege policies to prevent unprivileged users from obtaining the high-privilege level (PR:H) the attack requires; and monitor package manager operations for anomalous behavior. These controls reduce the already limited attack surface but do not eliminate the underlying vulnerability.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35357
GHSA-p2h4-vgwh-pp8x