Skip to main content

HarmonyOS CVE-2026-58551

| EUVDEUVD-2026-44655 MEDIUM
Classic Buffer Overflow (CWE-120)
2026-07-15 huawei GHSA-85pp-f9jm-8fg8
5.1
CVSS 3.1 · Vendor: huawei
Share

Severity by source

Vendor (huawei) PRIMARY
5.1 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
vuln.today AI
4.4 MEDIUM

Image codec flaws require a crafted file to be opened or indexed, implying UI:R; all other metrics match the vendor-provided vector.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (huawei).

CVSS VectorVendor: huawei

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 15, 2026 - 12:46 vuln.today

DescriptionCVE.org

Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

AnalysisAI

Out-of-bounds read in HarmonyOS's image codec module exposes limited memory content and may cause service instability, affecting confidentiality and availability at a low severity level. The flaw resides in image processing logic and is reachable by a local, unprivileged actor who can trigger image decoding - such as by supplying a crafted image file. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local device access
Delivery
Place crafted image in codec-accessible path
Exploit
Image codec module parses malformed data
Execution
Out-of-bounds read triggered in codec buffer
Impact
Adjacent memory contents leaked or service crashes

Vulnerability AssessmentAI

Exploitation Local access to the HarmonyOS device is required - this vulnerability cannot be triggered remotely. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.1 with vector AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L positions this as a medium-severity, locally-exploitable issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker or malicious application on the HarmonyOS device supplies a specially crafted image file to the image codec module - either directly via a locally-installed app or by placing the file in a directory that triggers automatic processing (e.g., gallery indexing). The codec reads beyond the allocated buffer boundary, leaking a small amount of adjacent memory that may contain sensitive data, or causing the image service to crash. …
Remediation Users and administrators should consult the Huawei July 2026 security bulletins for their respective device class and apply available over-the-air (OTA) or manual firmware updates: consumer devices at https://consumer.huawei.com/en/support/bulletin/2026/7/, Vision devices at https://consumer.huawei.com/en/support/bulletinvision/2026/7/, wearables at https://consumer.huawei.com/en/support/bulletinwearables/2026/7/, and laptops at https://consumer.huawei.com/en/support/bulletinlaptops/2026/7/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-32991 CRITICAL
9.8 May 14

Permission verification vulnerability in the wpa_supplicant module Impact: Successful exploitation of this vulnerability

CVE-2023-46773 CRITICAL
9.8 Dec 06

Permission management vulnerability in the PMS module. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2023-44116 CRITICAL
9.8 Oct 11

Vulnerability of access permissions not being strictly verified in the APPWidget module.Successful exploitation of this

CVE-2023-44105 CRITICAL
9.8 Oct 11

Vulnerability of permissions not being strictly verified in the window management module.Successful exploitation of this

CVE-2023-44106 CRITICAL
9.8 Oct 11

API permission management vulnerability in the Fwk-Display module.Successful exploitation of this vulnerability may caus

CVE-2023-41297 CRITICAL
9.8 Sep 25

Vulnerability of defects introduced in the design process in the HiviewTunner module. Rated critical severity (CVSS 9.8)

CVE-2023-41294 CRITICAL
9.8 Sep 25

The DP module has a service hijacking vulnerability.Successful exploitation of this vulnerability may affect some Super

CVE-2023-39405 CRITICAL
9.8 Aug 13

Vulnerability of out-of-bounds parameter read/write in the Wi-Fi module. Rated critical severity (CVSS 9.8), this vulner

CVE-2023-37242 CRITICAL
9.8 Jul 06

Vulnerability of commands from the modem being intercepted in the atcmdserver module. Rated critical severity (CVSS 9.8)

CVE-2022-46327 CRITICAL
9.8 Dec 20

Some smartphones have configuration issues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab

CVE-2022-46326 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2022-46325 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause syst

Share

CVE-2026-58551 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy