Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
User interaction required to trigger vibration service; no privileges needed; only availability impacted with no scope change.
Primary rating from Vendor (huawei).
CVSS VectorVendor: huawei
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
DoS vulnerability in the vibration service. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Uncontrolled memory allocation in Huawei's vibration service crashes affected HarmonyOS and EMUI devices, resulting in a denial-of-service condition impacting device availability. The flaw is remotely triggerable with no privileges required but demands user interaction, consistent with delivery via crafted content such as a malicious application, webpage, or message that exercises the vibration API. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | User interaction is required - the victim must actively open or interact with attacker-controlled content (such as a malicious application, crafted notification, or web page) that invokes the vibration service with pathological input. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) reflects a moderate-severity DoS: network-reachable, low complexity, no privileges, but requiring user interaction, which meaningfully reduces mass-exploitation feasibility compared to a fully unauthenticated, no-interaction path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious application or web page that calls the device vibration API with parameters designed to trigger unbounded memory allocation in the vibration service. When a victim on an unpatched HarmonyOS or EMUI device opens the malicious content, the vibration service exhausts device memory, causing the service to crash or rendering the device temporarily unresponsive. … |
| Remediation | Apply the patch issued by Huawei in the July 2026 security bulletin (https://consumer.huawei.com/en/support/bulletin/2026/7/); the exact patched version numbers are not enumerated in available NVD data and must be confirmed from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Harmony Os
View allLocal information disclosure in Huawei HarmonyOS and EMUI stems from a flawed permission-control check in the file syste
Permission control failure in the Bluetooth module of Huawei HarmonyOS and EMUI exposes devices to local exploitation th
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44665
GHSA-c38h-7xm3-hv7v