Skip to main content

Huawei HarmonyOS CVE-2026-41986

| EUVDEUVD-2026-35358 LOW
Unchecked Input for Loop Condition (CWE-606)
2026-06-09 huawei GHSA-472f-2v5j-fh75
2.4
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.4 LOW
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 08:02 vuln.today

DescriptionCVE.org

Logic bypass vulnerability in the file system. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

File system logic bypass in Huawei HarmonyOS allows a physically present, unauthenticated attacker to circumvent file system control logic, resulting in limited availability impact on the affected device. CVSS scores this at 2.4 (Low), reflecting the mandatory physical access requirement and constrained availability-only impact with no confidentiality or integrity exposure. No public exploit code exists and the vulnerability is not listed in CISA KEV at time of analysis.

Technical ContextAI

The affected product is Huawei HarmonyOS, identified via CPE cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:* - the wildcard version field indicates all tracked versions are considered affected. The root cause is classified as CWE-606 (Unchecked Input for Loop Condition), a logic-layer flaw where attacker-supplied or attacker-influenced input is used in a loop control expression without adequate validation. In a file system context, this can allow an attacker to manipulate iteration logic - such as directory traversal loops or file enumeration routines - to bypass intended constraints, potentially causing resource exhaustion, unexpected termination, or partial denial of file system service. The CVSS vector AV:P confirms exploitation requires hands-on physical access to the device, consistent with a local file system attack surface rather than a remotely reachable interface.

RemediationAI

Patch available per vendor advisory - consult the Huawei June 2026 Security Bulletin at https://consumer.huawei.com/en/support/bulletin/2026/6/ (mobile/consumer devices) and https://consumer.huawei.com/en/support/bulletinlaptops/2026/6/ (HarmonyOS laptop devices) for the exact patched firmware or OS version applicable to your device model. An exact fix version number was not included in the available intelligence data and cannot be independently confirmed; users should apply the latest update delivered via HarmonyOS OTA update mechanism. As a compensating control while patching is pending, enforce physical access controls - device lock screens, full-disk encryption, and restricted physical access to devices - to eliminate the physical attack vector (AV:P) required for exploitation. These controls address the attack precondition directly with no meaningful operational trade-off.

Share

CVE-2026-41986 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy