Skip to main content

HarmonyOS CVE-2026-58557

| EUVDEUVD-2026-44660 MEDIUM
Weaknesses Introduced During Design (CWE-701)
2026-07-15 huawei GHSA-fr78-wfr2-4mhm
4.8
CVSS 3.1 · Vendor: huawei
Share

Severity by source

Vendor (huawei) PRIMARY
4.8 MEDIUM
AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H
vuln.today AI
4.8 MEDIUM

Local-only access with mandatory high privileges and user interaction; availability impact is high but no confidentiality impact is substantiated by available technical evidence.

3.1 AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (huawei).

CVSS VectorVendor: huawei

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 15, 2026 - 13:20 vuln.today

DescriptionCVE.org

Design defect vulnerability in Expedition mode. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Design defect in HarmonyOS's 'Expedition mode' allows a high-privileged local attacker, with user interaction, to cause significant availability disruption and minor integrity impact. Reported by Huawei in its July 2026 security bulletin, the vulnerability carries a CVSS 3.1 base score of 4.8, reflecting constrained exploitability due to local access, high privilege, and required user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain high-privileged local device access
Exploit
Trigger user interaction in Expedition mode
Execution
Design defect corrupts availability state
Impact
Device feature or system becomes unavailable

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) local access to the HarmonyOS device - no remote or network-based exploitation path exists per AV:L; (2) high privilege level on the device, meaning the attacker must already operate as an administrator or equivalent high-privileged account (PR:H); (3) some form of user interaction (UI:R), such as triggering a mode switch or user-initiated action in Expedition mode. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The overall real-world risk is low to moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A high-privileged local user on a HarmonyOS device (e.g., an admin or device owner with elevated access) triggers Expedition mode through a device interaction, causing the underlying design defect to corrupt availability of the affected component or the device state. Because user interaction is required (UI:R), a purely automated local exploit is unlikely without some form of social engineering or physical device access to prompt the interaction. …
Remediation The primary remediation is to apply the patch or update referenced in Huawei's July 2026 security bulletin at https://consumer.huawei.com/en/support/bulletin/2026/7/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-32991 CRITICAL
9.8 May 14

Permission verification vulnerability in the wpa_supplicant module Impact: Successful exploitation of this vulnerability

CVE-2023-46773 CRITICAL
9.8 Dec 06

Permission management vulnerability in the PMS module. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2023-44116 CRITICAL
9.8 Oct 11

Vulnerability of access permissions not being strictly verified in the APPWidget module.Successful exploitation of this

CVE-2023-44105 CRITICAL
9.8 Oct 11

Vulnerability of permissions not being strictly verified in the window management module.Successful exploitation of this

CVE-2023-44106 CRITICAL
9.8 Oct 11

API permission management vulnerability in the Fwk-Display module.Successful exploitation of this vulnerability may caus

CVE-2023-41297 CRITICAL
9.8 Sep 25

Vulnerability of defects introduced in the design process in the HiviewTunner module. Rated critical severity (CVSS 9.8)

CVE-2023-41294 CRITICAL
9.8 Sep 25

The DP module has a service hijacking vulnerability.Successful exploitation of this vulnerability may affect some Super

CVE-2023-39405 CRITICAL
9.8 Aug 13

Vulnerability of out-of-bounds parameter read/write in the Wi-Fi module. Rated critical severity (CVSS 9.8), this vulner

CVE-2023-37242 CRITICAL
9.8 Jul 06

Vulnerability of commands from the modem being intercepted in the atcmdserver module. Rated critical severity (CVSS 9.8)

CVE-2022-46327 CRITICAL
9.8 Dec 20

Some smartphones have configuration issues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab

CVE-2022-46326 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2022-46325 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause syst

Share

CVE-2026-58557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy