Skip to main content

HarmonyOS EUVDEUVD-2026-35364

| CVE-2026-41981 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-06-09 huawei GHSA-68xf-fx4h-9h5m
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 08:05 vuln.today

DescriptionCVE.org

Out-of-bounds write vulnerability in the IPC module. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Heap-based buffer overflow in the HarmonyOS IPC (Inter-Process Communication) module allows a local low-privileged attacker to impact confidentiality, integrity, and availability of the affected system. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) confirms exploitation requires local authenticated access with low complexity, limiting but not eliminating real-world risk on consumer and wearable Huawei devices. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

The vulnerability exists in the IPC module of Huawei HarmonyOS (CPE: cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*). IPC subsystems are responsible for inter-process message passing and shared resource coordination within the OS; flaws in this layer are particularly sensitive because IPC is a high-traffic, privileged communication boundary. CWE-122 (Heap-based Buffer Overflow) indicates that data written to a heap-allocated buffer exceeds its allocated bounds, potentially corrupting adjacent heap metadata or data structures. Depending on memory layout, this class of flaw can enable arbitrary code execution, privilege escalation, or denial of service - though the CVSS impact scores here are rated Low across all three CIA axes, suggesting the immediately exploitable impact is constrained. Tags confirm both a generic buffer overflow and a heap-specific overflow classification, consistent with CWE-122.

RemediationAI

Apply the updates described in Huawei's June 2026 consumer security bulletin (https://consumer.huawei.com/en/support/bulletin/2026/6/) and, for wearable devices, the corresponding wearables bulletin (https://consumer.huawei.com/en/support/bulletinwearables/2026/6/). Exact patched version numbers are not independently confirmed from the available data - consult the bulletin directly for device-specific update instructions. As a compensating control prior to patching, restrict local user account creation and limit the number of low-privilege accounts or third-party applications permitted on affected devices, since exploitation requires PR:L local access; this reduces the pool of potential local attackers but does not eliminate the vulnerability. No workaround that disables IPC is feasible without rendering the OS inoperable.

Share

EUVD-2026-35364 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy