Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Path traversal vulnerability in the SMS app. Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
Path traversal in the HarmonyOS SMS application allows unauthenticated remote attackers to impact integrity and availability on affected Huawei devices. Exploitation requires user interaction - a victim must engage with a crafted message - but no privileges or special authentication are needed from the attacker's side, lowering the barrier to reach a target. No public exploit or CISA KEV listing exists at time of analysis; this appears to be a vendor-disclosed issue patched in the June 2026 Huawei security bulletin.
Technical ContextAI
CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) describes a root cause where user-controlled input is used in file path construction without sufficient sanitization, allowing directory traversal sequences such as '../' to escape the intended file system boundary. In the context of the HarmonyOS SMS application, the flaw resides in how the app processes inbound message content or attachments, potentially allowing a crafted payload to reference arbitrary paths on the device file system. The CPE string cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:* indicates the vulnerability is catalogued against HarmonyOS across all tracked versions, though the exact version range is not bounded in the CPE wildcard. HarmonyOS is Huawei's proprietary mobile and IoT operating system, and the SMS stack is a core system application.
RemediationAI
Apply the fix documented in the Huawei Consumer Security Bulletin for June 2026, available at https://consumer.huawei.com/en/support/bulletin/2026/6/. No exact patched version number is independently confirmed from the available data - exact fix version should be verified directly from the bulletin. As a compensating control prior to patching, users can disable SMS preview in notification settings to reduce the user interaction surface, though this does not eliminate the vulnerability. Restricting third-party or unknown sender SMS messages via carrier-level filtering can reduce exposure. No known side effects are associated with applying the official Huawei bulletin update.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35359
GHSA-rjp8-mxm8-p2fm