Skip to main content

HarmonyOS CVE-2026-41985

| EUVDEUVD-2026-35357 MEDIUM
Improper Access Control (CWE-284)
2026-06-09 huawei GHSA-p2h4-vgwh-pp8x
5.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 08:01 vuln.today

DescriptionCVE.org

UAF vulnerability in the package management module. Impact: Successful exploitation of this vulnerability may affect service integrity.

AnalysisAI

Use-After-Free (UAF) in the HarmonyOS package management module allows a local attacker with high privileges to compromise service integrity. Successful exploitation requires high attack complexity and user interaction, limiting real-world exposure. The primary impact is integrity degradation (I:H), with minor confidentiality and availability effects; no public exploit or CISA KEV listing identified at time of analysis.

Technical ContextAI

HarmonyOS (Huawei) is affected per CPE cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*, covering all tracked versions. The UAF class flaw (a freed memory region is accessed after deallocation) resides in the package management module. However, the assigned CWE is CWE-284 (Improper Access Control) rather than the canonical CWE-416 (Use After Free) - this discrepancy between the description text and the assigned weakness warrants verification with Huawei's advisory. UAF conditions in package managers typically arise during install/uninstall race conditions or during reference-counting errors in module lifecycle management. CWE-284 suggests the root cause may involve insufficient access control checks around the freed object, enabling privilege boundary bypass rather than a pure memory-corruption primitive.

RemediationAI

The primary remediation is to apply the updates detailed in the Huawei June 2026 security bulletins: https://consumer.huawei.com/en/support/bulletin/2026/6/ for mobile devices, https://consumer.huawei.com/en/support/bulletinwearables/2026/6/ for wearables, and https://consumer.huawei.com/en/support/bulletinlaptops/2026/6/ for laptops. An exact patched version number was not confirmed in the available intelligence - the precise fix version must be verified directly from the Huawei advisory pages before deployment. As compensating controls where patching is not immediately possible: restrict physical and shell access to devices to prevent local exploitation (the AV:L vector means remote exploitation is not possible); enforce least-privilege policies to prevent unprivileged users from obtaining the high-privilege level (PR:H) the attack requires; and monitor package manager operations for anomalous behavior. These controls reduce the already limited attack surface but do not eliminate the underlying vulnerability.

Share

CVE-2026-41985 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy