Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
4DescriptionCVE.org
Boundary-unlimited vulnerability in the application read module. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Local privilege escalation in HarmonyOS application read module allows unauthenticated local attackers to cause memory corruption through a boundary-unlimited buffer overflow, potentially achieving code execution or system crash with high availability impact. CVSS 6.8 reflects local attack vector with integrity and availability consequences. Huawei has released security bulletins addressing this CWE-119 vulnerability affecting HarmonyOS devices.
Technical ContextAI
This vulnerability is a classic boundary-unlimited buffer overflow (CWE-119) in HarmonyOS's application read module, a component responsible for reading and processing application data or resources. The root cause is insufficient bounds checking when writing to a fixed-size memory buffer, allowing an attacker to overflow the buffer and corrupt adjacent memory. The CVSS vector (AV:L/AC:L/PR:N/UI:N/S:U) indicates this is a local privilege escalation requiring only file system or local process access, with no prerequisites or user interaction needed. The affected products are all versions of HarmonyOS (CPE: cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*), suggesting this is a foundational issue in the OS kernel or core libraries rather than a specific version.
RemediationAI
Apply the security updates provided in Huawei's official security bulletins. Visit https://consumer.huawei.com/en/support/bulletin/2026/4/ for consumer HarmonyOS devices and https://consumer.huawei.com/en/support/bulletinwearables/2026/4/ for wearable devices to identify the exact patched firmware version for your device model. Huawei will provide specific firmware version numbers and over-the-air update instructions through these channels. Until patches are applied, restrict physical access to devices and avoid installing untrusted applications from non-official sources, as this vulnerability requires local access to exploit.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21846
GHSA-qrvp-579j-2cf5