EUVD-2025-208681

| CVE-2025-52458 MEDIUM
2026-03-16 OpenHarmony
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 09:00 euvd
EUVD-2025-208681
Analysis Generated
Mar 16, 2026 - 09:00 vuln.today
CVE Published
Mar 16, 2026 - 07:10 nvd
MEDIUM 5.5

Tags

RCE Buffer Overflow Memory Corruption Openharmony

Description

in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios.

Analysis

An out-of-bounds write vulnerability (CWE-787) exists in OpenHarmony versions up to and including v5.1.0, enabling local attackers to execute arbitrary code within pre-installed applications. The vulnerability requires local access and low privileges but can result in complete confidentiality compromise. This is a memory corruption issue that, while restricted to specific scenarios, poses a meaningful risk to OpenHarmony device security given the local attack vector and high impact on confidentiality.

Technical Context

OpenHarmony is an open-source operating system (identified via CPE cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:*) designed for IoT and embedded devices. The vulnerability stems from a CWE-787 (Out-of-bounds Write) condition in memory-handling routines, likely within system libraries or kernel components used by pre-installed applications. Out-of-bounds writes are classic buffer overflow memory corruption issues that allow attackers to overwrite adjacent memory structures, potentially hijacking control flow or modifying sensitive data. The restriction to pre-installed apps and specific scenarios suggests the vulnerability exists within a sandboxed or capability-gated code path rather than in universally accessible kernel code, limiting but not eliminating exploitability.

Affected Products

OpenHarmony versions from v5.0.3 through v5.1.0.x are affected, as confirmed by the EUVD-2025-208681 identifier. The CPE cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:* confirms the OpenHarmony platform itself is the affected product. The vendor security disclosure is available at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2025/2025-10.md, and additional analysis is documented on VulnDB at https://vuldb.com/?id.351217.

Remediation

Upgrade OpenHarmony to a patched version beyond v5.1.0.x as released by the OpenHarmony project. Consult the official security disclosure at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2025/2025-10.md for specific patch availability and timelines. Until patching is feasible, implement the following mitigations: (1) restrict local user account creation and access on OpenHarmony devices to trusted personnel only, reducing the likelihood of local attacker scenarios; (2) isolate OpenHarmony devices on network segments with restricted outbound access to limit lateral movement if code execution is achieved; (3) monitor process behavior in pre-installed applications for anomalies or unexpected memory access patterns. Prioritize patching for high-risk deployments (connected home devices, medical IoT, industrial controllers).

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

EUVD-2025-208681 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy