Skip to main content

HarmonyOS SMS EUVDEUVD-2026-35359

| CVE-2026-41972 MEDIUM
Path Traversal (CWE-22)
2026-06-09 huawei GHSA-rjp8-mxm8-p2fm
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 08:02 vuln.today

DescriptionCVE.org

Path traversal vulnerability in the SMS app. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Path traversal in the HarmonyOS SMS application allows unauthenticated remote attackers to impact integrity and availability on affected Huawei devices. Exploitation requires user interaction - a victim must engage with a crafted message - but no privileges or special authentication are needed from the attacker's side, lowering the barrier to reach a target. No public exploit or CISA KEV listing exists at time of analysis; this appears to be a vendor-disclosed issue patched in the June 2026 Huawei security bulletin.

Technical ContextAI

CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) describes a root cause where user-controlled input is used in file path construction without sufficient sanitization, allowing directory traversal sequences such as '../' to escape the intended file system boundary. In the context of the HarmonyOS SMS application, the flaw resides in how the app processes inbound message content or attachments, potentially allowing a crafted payload to reference arbitrary paths on the device file system. The CPE string cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:* indicates the vulnerability is catalogued against HarmonyOS across all tracked versions, though the exact version range is not bounded in the CPE wildcard. HarmonyOS is Huawei's proprietary mobile and IoT operating system, and the SMS stack is a core system application.

RemediationAI

Apply the fix documented in the Huawei Consumer Security Bulletin for June 2026, available at https://consumer.huawei.com/en/support/bulletin/2026/6/. No exact patched version number is independently confirmed from the available data - exact fix version should be verified directly from the bulletin. As a compensating control prior to patching, users can disable SMS preview in notification settings to reduce the user interaction surface, though this does not eliminate the vulnerability. Restricting third-party or unknown sender SMS messages via carrier-level filtering can reduce exposure. No known side effects are associated with applying the official Huawei bulletin update.

Share

EUVD-2026-35359 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy