Skip to main content

HarmonyOS CVE-2026-58554

| EUVDEUVD-2026-44659 MEDIUM
Information Exposure (CWE-200)
2026-07-15 huawei GHSA-v7px-ccwm-rfj6
6.6
CVSS 3.1 · Vendor: huawei
Share

Severity by source

Vendor (huawei) PRIMARY
6.6 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
vuln.today AI
6.6 MEDIUM

Local-only vector confirmed; PR:N reflects that any installed app exploits the Settings IPC boundary without requesting elevated permissions, with user interaction as the sole trigger gate.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (huawei).

CVSS VectorVendor: huawei

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 15, 2026 - 13:23 vuln.today

DescriptionCVE.org

Permission control vulnerability in the Settings module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

AnalysisAI

Permission control bypass in the Settings module of Huawei HarmonyOS and EMUI exposes sensitive service data to unauthorized local actors. A locally-installed application without elevated privileges can exploit the flaw (CWE-200) during user interaction with the Settings UI to read confidential configuration or service data - with a CVSS-rated High confidentiality impact (C:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Malicious app installed on Huawei device
Delivery
User opens or navigates Settings module
Exploit
App triggers permission control bypass in Settings IPC
Execution
Restricted service configuration data read without authorization
Impact
Sensitive information exfiltrated to attacker-controlled process

Vulnerability AssessmentAI

Exploitation Exploitation requires a malicious or attacker-controlled application to be installed on the target Huawei device running HarmonyOS or EMUI. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 6.6 (Medium) reflects meaningful but bounded risk: the local attack vector (AV:L) eliminates remote exploitation, and user interaction is required (UI:R), preventing silent background exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker distributes a malicious application - via a third-party app store, phishing link, or social engineering - to a target's Huawei HarmonyOS or EMUI device. When the user opens or otherwise interacts with the Settings module, the malicious app exploits the permission control bypass to read restricted service configuration data, potentially exposing account identifiers, system credentials, or sensitive configuration parameters. …
Remediation Consult and apply the update detailed in Huawei's July 2026 security bulletin (https://consumer.huawei.com/en/support/bulletin/2026/7/) - the patch is available per vendor advisory, though exact fixed version numbers are not confirmed in the data available at time of analysis and must be retrieved directly from the bulletin. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-32991 CRITICAL
9.8 May 14

Permission verification vulnerability in the wpa_supplicant module Impact: Successful exploitation of this vulnerability

CVE-2023-46773 CRITICAL
9.8 Dec 06

Permission management vulnerability in the PMS module. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2023-44116 CRITICAL
9.8 Oct 11

Vulnerability of access permissions not being strictly verified in the APPWidget module.Successful exploitation of this

CVE-2023-44105 CRITICAL
9.8 Oct 11

Vulnerability of permissions not being strictly verified in the window management module.Successful exploitation of this

CVE-2023-44106 CRITICAL
9.8 Oct 11

API permission management vulnerability in the Fwk-Display module.Successful exploitation of this vulnerability may caus

CVE-2023-41297 CRITICAL
9.8 Sep 25

Vulnerability of defects introduced in the design process in the HiviewTunner module. Rated critical severity (CVSS 9.8)

CVE-2023-41294 CRITICAL
9.8 Sep 25

The DP module has a service hijacking vulnerability.Successful exploitation of this vulnerability may affect some Super

CVE-2023-39405 CRITICAL
9.8 Aug 13

Vulnerability of out-of-bounds parameter read/write in the Wi-Fi module. Rated critical severity (CVSS 9.8), this vulner

CVE-2023-37242 CRITICAL
9.8 Jul 06

Vulnerability of commands from the modem being intercepted in the atcmdserver module. Rated critical severity (CVSS 9.8)

CVE-2022-46327 CRITICAL
9.8 Dec 20

Some smartphones have configuration issues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab

CVE-2022-46326 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2022-46325 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause syst

Share

CVE-2026-58554 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy