Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak.
AnalysisAI
Information disclosure in OpenHarmony v6.0 and earlier enables a low-privileged local attacker to leak high-sensitivity data from the system without any user interaction. The root cause is a signal handler race condition (CWE-364), where asynchronous signal delivery can expose protected memory contents while leaving system integrity and availability unaffected. No public exploit code has been identified at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
The vulnerability is rooted in CWE-364, a signal handler race condition. Signal handlers in POSIX-compliant operating systems are invoked asynchronously when a process receives a signal, interrupting normal execution at non-deterministic points. If a signal handler accesses shared state or memory regions that are also manipulated by the main execution context - without proper synchronization primitives - an attacker with the ability to send signals can exploit the timing window to cause unintended reads of sensitive memory. OpenHarmony is Huawei's open-source distributed OS targeting IoT, embedded, and mobile device categories. The CPE string cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:* confirms the vulnerability spans all tracked versions of the platform up to and including v6.0. The specific internal component or subsystem containing the vulnerable signal handler is not identified in the available description, as the text appears truncated.
RemediationAI
Consult the OpenHarmony May 2026 security advisory at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-05.md to identify the specific patched release and apply the vendor-supplied update as the primary remediation. A patch is referenced by the vendor advisory; however, the exact fixed version number is not independently confirmed in the available intelligence - verify the minimum safe version directly from the advisory before upgrading. As compensating controls where immediate patching is not feasible: restrict the number of low-privilege local accounts or processes on affected devices, enforce strict process isolation to prevent unprivileged processes from sending signals to sensitive system processes (e.g., via seccomp or SELinux policy on compatible configurations), and audit which processes handle signals while accessing sensitive memory. Note that signal-filtering policies may affect legitimate inter-process communication and should be tested for operational impact before deployment.
More in Openharmony
View allin OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through
Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code wi
in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sens
in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through improper in
in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after f
in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use aft
OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softb
OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. Rated high severity (CVSS 8.8), this vulne
Same weakness CWE-364 – Signal Handler Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30830
GHSA-382c-r87v-m473