Skip to main content

HarmonyOS CVE-2026-58552

| EUVDEUVD-2026-44656 MEDIUM
Classic Buffer Overflow (CWE-120)
2026-07-15 huawei GHSA-rppv-cc33-x627
5.1
CVSS 3.1 · Vendor: huawei
Share

Severity by source

Vendor (huawei) PRIMARY
5.1 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
vuln.today AI
5.1 MEDIUM

Local attack vector confirmed by description; PR:N as any installed app can invoke the codec; no integrity impact since the flaw is read-only; A:L retained for potential codec crash.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (huawei).

CVSS VectorVendor: huawei

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 15, 2026 - 12:47 vuln.today

DescriptionCVE.org

Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

AnalysisAI

Out-of-bounds read in HarmonyOS's image codec module exposes partial memory contents to local attackers, affecting service confidentiality with a secondary availability impact. The CVSS vector (AV:L/PR:N) scopes exploitation to the local device - reachable by any installed application capable of submitting image data to the vulnerable codec - without requiring elevated privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install malicious app on HarmonyOS device
Delivery
Submit crafted image to codec module
Exploit
Trigger out-of-bounds read past buffer boundary
Execution
Leak adjacent process memory contents
Impact
Exfiltrate confidential in-memory data

Vulnerability AssessmentAI

Exploitation Exploitation requires local code execution on a HarmonyOS device, confirmed by the CVSS AV:L metric - the attacker must have an application running on the device. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.1 (Medium) is consistent with a local, low-complexity, no-privilege-required memory disclosure: the local attack vector (AV:L) is the primary risk limiter, confining exploitation to code already executing on the target device. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker distributes a malicious HarmonyOS application that internally submits a specially crafted image file to the system image codec module, triggering the out-of-bounds read. The codec reads beyond the intended buffer boundary, leaking adjacent memory contents - potentially including in-memory tokens, session credentials, or other sensitive application state - back to the calling process. …
Remediation Apply the July 2026 Huawei security update appropriate to your device category: smartphone and consumer device users should consult https://consumer.huawei.com/en/support/bulletin/2026/7/, smart vision device users should refer to https://consumer.huawei.com/en/support/bulletinvision/2026/7/, wearable users should check https://consumer.huawei.com/en/support/bulletinwearables/2026/7/, and laptop users should review https://consumer.huawei.com/en/support/bulletinlaptops/2026/7/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-32991 CRITICAL
9.8 May 14

Permission verification vulnerability in the wpa_supplicant module Impact: Successful exploitation of this vulnerability

CVE-2023-46773 CRITICAL
9.8 Dec 06

Permission management vulnerability in the PMS module. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2023-44116 CRITICAL
9.8 Oct 11

Vulnerability of access permissions not being strictly verified in the APPWidget module.Successful exploitation of this

CVE-2023-44105 CRITICAL
9.8 Oct 11

Vulnerability of permissions not being strictly verified in the window management module.Successful exploitation of this

CVE-2023-44106 CRITICAL
9.8 Oct 11

API permission management vulnerability in the Fwk-Display module.Successful exploitation of this vulnerability may caus

CVE-2023-41297 CRITICAL
9.8 Sep 25

Vulnerability of defects introduced in the design process in the HiviewTunner module. Rated critical severity (CVSS 9.8)

CVE-2023-41294 CRITICAL
9.8 Sep 25

The DP module has a service hijacking vulnerability.Successful exploitation of this vulnerability may affect some Super

CVE-2023-39405 CRITICAL
9.8 Aug 13

Vulnerability of out-of-bounds parameter read/write in the Wi-Fi module. Rated critical severity (CVSS 9.8), this vulner

CVE-2023-37242 CRITICAL
9.8 Jul 06

Vulnerability of commands from the modem being intercepted in the atcmdserver module. Rated critical severity (CVSS 9.8)

CVE-2022-46327 CRITICAL
9.8 Dec 20

Some smartphones have configuration issues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab

CVE-2022-46326 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2022-46325 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause syst

Share

CVE-2026-58552 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy