Skip to main content

EUVDEUVD-2026-21796

| CVE-2026-34852 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-04-13 huawei GHSA-7qf2-g97r-ch8v
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 13, 2026 - 04:25 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 04:15 euvd
EUVD-2026-21796
Analysis Generated
Apr 13, 2026 - 04:15 vuln.today
CVE Published
Apr 13, 2026 - 03:46 nvd
MEDIUM 6.1

DescriptionCVE.org

Stack overflow vulnerability in the media platform. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Stack overflow in HarmonyOS media platform allows authenticated local attackers to cause denial of service and potentially achieve limited information disclosure or integrity compromise through malicious user interaction. CVSS 6.1 reflects moderate severity with local attack vector, low complexity, and requirement for user interaction; EPSS and KEV status not provided. No public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

The vulnerability exists in HarmonyOS media platform handling, specifically involving stack memory exhaustion (CWE-835: Infinite Loop) within media processing routines. The affected component processes user-supplied media data that triggers unbounded recursion or iteration, causing stack overflow. HarmonyOS spans multiple device classes (smartphones, wearables, laptops per referenced bulletins), all using the same underlying media stack. The local attack vector combined with user interaction requirement (UI:R in CVSS vector) indicates the attacker must either have local system access or trick a user into opening malicious media content. Authenticated privilege requirement (PR:L) further restricts exposure to users already logged into the system.

RemediationAI

Huawei has released patches for affected HarmonyOS versions distributed through separate security bulletins for each device class. Consumers should navigate to their device-specific bulletin (consumer.huawei.com support section for phones, wearables, or laptops) and apply the recommended security update. Update procedures vary by device type; follow the device-specific instructions provided in the bulletin. As an interim measure, avoid opening untrusted or suspicious media files from unknown sources, and restrict local system access to trusted users only. Patch availability per vendor advisory; exact fix versions are enumerated in the Huawei bulletins.

Share

EUVD-2026-21796 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy