Skip to main content

HarmonyOS EUVDEUVD-2026-44657

| CVE-2026-58553 MEDIUM
Classic Buffer Overflow (CWE-120)
2026-07-15 huawei GHSA-p93h-8pcw-45vc
4.0
CVSS 3.1 · Vendor: huawei
Share

Severity by source

Vendor (huawei) PRIMARY
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
4.4 MEDIUM

Image codec OOB reads typically require a user to open a crafted file (UI:R) and can leak adjacent memory (C:L), contradicting vendor's C:N and UI:N assignments.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (huawei).

CVSS VectorVendor: huawei

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 15, 2026 - 12:46 vuln.today

DescriptionCVE.org

Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

AnalysisAI

Out-of-bounds read in HarmonyOS's image codec module allows a local attacker to cause service availability disruption, with the vendor description also noting potential confidentiality impact - a discrepancy with the CVSS C:N metric that warrants attention. All versions of Huawei HarmonyOS across consumer devices, vision products, wearables, and laptops are identified as affected per the July 2026 Huawei Security Bulletin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to HarmonyOS device
Delivery
Craft malformed image file
Exploit
Deliver file to image codec module
Execution
Trigger out-of-bounds read in parser
Impact
Cause service crash or memory exposure

Vulnerability AssessmentAI

Exploitation The vulnerability requires local access to the affected HarmonyOS device (AV:L per CVSS vector); remote network-based exploitation is not supported by the current characterization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 base score is 4.0 with vector AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating local attack vector, low complexity, no privileges required, no user interaction, and low availability impact only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with access to a HarmonyOS device - through physical possession or an existing low-privilege session - delivers a specially crafted image file designed to trigger the out-of-bounds read in the codec module. When the image is processed by a gallery application, messaging client, or any system service that invokes the vulnerable codec, the overread causes the affected service to crash, resulting in a temporary availability loss. …
Remediation Users should consult the Huawei July 2026 Security Bulletins - separately published for consumer devices, vision products, wearables, and laptops - to obtain exact patched firmware and OS versions. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-32991 CRITICAL
9.8 May 14

Permission verification vulnerability in the wpa_supplicant module Impact: Successful exploitation of this vulnerability

CVE-2023-46773 CRITICAL
9.8 Dec 06

Permission management vulnerability in the PMS module. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2023-44116 CRITICAL
9.8 Oct 11

Vulnerability of access permissions not being strictly verified in the APPWidget module.Successful exploitation of this

CVE-2023-44105 CRITICAL
9.8 Oct 11

Vulnerability of permissions not being strictly verified in the window management module.Successful exploitation of this

CVE-2023-44106 CRITICAL
9.8 Oct 11

API permission management vulnerability in the Fwk-Display module.Successful exploitation of this vulnerability may caus

CVE-2023-41297 CRITICAL
9.8 Sep 25

Vulnerability of defects introduced in the design process in the HiviewTunner module. Rated critical severity (CVSS 9.8)

CVE-2023-41294 CRITICAL
9.8 Sep 25

The DP module has a service hijacking vulnerability.Successful exploitation of this vulnerability may affect some Super

CVE-2023-39405 CRITICAL
9.8 Aug 13

Vulnerability of out-of-bounds parameter read/write in the Wi-Fi module. Rated critical severity (CVSS 9.8), this vulner

CVE-2023-37242 CRITICAL
9.8 Jul 06

Vulnerability of commands from the modem being intercepted in the atcmdserver module. Rated critical severity (CVSS 9.8)

CVE-2022-46327 CRITICAL
9.8 Dec 20

Some smartphones have configuration issues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab

CVE-2022-46326 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2022-46325 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause syst

Share

EUVD-2026-44657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy