Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Logic bypass vulnerability in the file system. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
File system logic bypass in Huawei HarmonyOS allows a physically present, unauthenticated attacker to circumvent file system control logic, resulting in limited availability impact on the affected device. CVSS scores this at 2.4 (Low), reflecting the mandatory physical access requirement and constrained availability-only impact with no confidentiality or integrity exposure. No public exploit code exists and the vulnerability is not listed in CISA KEV at time of analysis.
Technical ContextAI
The affected product is Huawei HarmonyOS, identified via CPE cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:* - the wildcard version field indicates all tracked versions are considered affected. The root cause is classified as CWE-606 (Unchecked Input for Loop Condition), a logic-layer flaw where attacker-supplied or attacker-influenced input is used in a loop control expression without adequate validation. In a file system context, this can allow an attacker to manipulate iteration logic - such as directory traversal loops or file enumeration routines - to bypass intended constraints, potentially causing resource exhaustion, unexpected termination, or partial denial of file system service. The CVSS vector AV:P confirms exploitation requires hands-on physical access to the device, consistent with a local file system attack surface rather than a remotely reachable interface.
RemediationAI
Patch available per vendor advisory - consult the Huawei June 2026 Security Bulletin at https://consumer.huawei.com/en/support/bulletin/2026/6/ (mobile/consumer devices) and https://consumer.huawei.com/en/support/bulletinlaptops/2026/6/ (HarmonyOS laptop devices) for the exact patched firmware or OS version applicable to your device model. An exact fix version number was not included in the available intelligence data and cannot be independently confirmed; users should apply the latest update delivered via HarmonyOS OTA update mechanism. As a compensating control while patching is pending, enforce physical access controls - device lock screens, full-disk encryption, and restricted physical access to devices - to eliminate the physical attack vector (AV:P) required for exploitation. These controls address the attack precondition directly with no meaningful operational trade-off.
Same weakness CWE-606 – Unchecked Input for Loop Condition
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35358
GHSA-472f-2v5j-fh75