Skip to main content

HarmonyOS Contacts EUVDEUVD-2026-30524

| CVE-2026-41961 MEDIUM
Business Logic Errors (CWE-840)
2026-05-15 huawei GHSA-9694-5xfg-m7vr
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 15, 2026 - 10:30 vuln.today
CVE Published
May 15, 2026 - 09:22 nvd
MEDIUM 5.9

DescriptionCVE.org

Permission control vulnerability in contacts. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

A permission control vulnerability in HarmonyOS Contacts allows local attackers without special privileges to access sensitive contact information and affect availability of the contacts application. The vulnerability exists across HarmonyOS versions and can be exploited without user interaction, resulting in information disclosure and potential service disruption.

Technical ContextAI

This vulnerability stems from a permission control deficiency (CWE-840: Authorization with Incorrect Scope) in the HarmonyOS Contacts application. The underlying issue involves improper enforcement of access controls that govern which processes or users can read, modify, or delete contact data. HarmonyOS, Huawei's proprietary operating system, implements a privilege-based access control model. The flaw allows unprivileged local processes to bypass intended permission boundaries to access the contacts database or contact management functions, which typically require explicit user authorization or system-level permissions. The CVSS vector (AV:L/AC:L/PR:N/UI:N) indicates this is a local privilege escalation or authorization bypass affecting the contacts component without requiring user interaction.

RemediationAI

Apply the security update provided in Huawei's security bulletin released May 2026 (https://consumer.huawei.com/en/support/bulletin/2026/5/). Contact Huawei support directly or check your device's system settings for available security patches, as HarmonyOS updates are typically delivered incrementally by device model and region. Until patched, users should review app permissions on their HarmonyOS devices, denying unnecessary contact access to third-party applications through Settings > Apps > Permissions > Contacts. Restrict which apps can access the Contacts application and disable contact synchronization features with untrusted services if not required. Uninstall or disable suspicious or unused applications that request contact permissions. Note that disabling contact sync may limit functionality of certain services like email or messaging apps that rely on contact data.

Share

EUVD-2026-30524 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy