Skip to main content

Huawei HarmonyOS CVE-2026-58559

| EUVDEUVD-2026-44665 MEDIUM
Memory Allocation with Excessive Size Value (CWE-789)
2026-07-15 huawei GHSA-c38h-7xm3-hv7v
6.5
CVSS 3.1 · Vendor: huawei
Share

Severity by source

Vendor (huawei) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

User interaction required to trigger vibration service; no privileges needed; only availability impacted with no scope change.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (huawei).

CVSS VectorVendor: huawei

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 15, 2026 - 13:20 vuln.today

DescriptionCVE.org

DoS vulnerability in the vibration service. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Uncontrolled memory allocation in Huawei's vibration service crashes affected HarmonyOS and EMUI devices, resulting in a denial-of-service condition impacting device availability. The flaw is remotely triggerable with no privileges required but demands user interaction, consistent with delivery via crafted content such as a malicious application, webpage, or message that exercises the vibration API. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver crafted vibration API trigger
Delivery
Victim opens malicious content
Exploit
Vibration service processes input
Execution
Unbounded memory allocation occurs
Impact
Device availability DoS

Vulnerability AssessmentAI

Exploitation User interaction is required - the victim must actively open or interact with attacker-controlled content (such as a malicious application, crafted notification, or web page) that invokes the vibration service with pathological input. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) reflects a moderate-severity DoS: network-reachable, low complexity, no privileges, but requiring user interaction, which meaningfully reduces mass-exploitation feasibility compared to a fully unauthenticated, no-interaction path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious application or web page that calls the device vibration API with parameters designed to trigger unbounded memory allocation in the vibration service. When a victim on an unpatched HarmonyOS or EMUI device opens the malicious content, the vibration service exhausts device memory, causing the service to crash or rendering the device temporarily unresponsive. …
Remediation Apply the patch issued by Huawei in the July 2026 security bulletin (https://consumer.huawei.com/en/support/bulletin/2026/7/); the exact patched version numbers are not enumerated in available NVD data and must be confirmed from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58559 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy