Skip to main content

HarmonyOS EUVDEUVD-2026-44658

| CVE-2026-58555 MEDIUM
Permissions, Privileges, and Access Controls (CWE-264)
2026-07-15 huawei GHSA-78h5-w2vg-67j7
6.6
CVSS 3.1 · Vendor: huawei
Share

Severity by source

Vendor (huawei) PRIMARY
6.6 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
vuln.today AI
6.6 MEDIUM

Local vector confirmed by card-module scope; PR:N because any unprivileged app can register a card; UI:R because victim interaction with the card is required to trigger the bypass.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (huawei).

CVSS VectorVendor: huawei

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 15, 2026 - 12:47 vuln.today

DescriptionCVE.org

Permission bypass vulnerability in the card module. Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

Permission bypass in the HarmonyOS card module allows a local, unprivileged user - with required user interaction - to circumvent access controls, resulting in high availability impact alongside limited confidentiality and integrity exposure. The vulnerability affects Huawei HarmonyOS across all tracked versions per CPE data and is documented in Huawei's July 2026 security bulletin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install malicious card on HarmonyOS device
Delivery
Victim interacts with crafted card
Exploit
Card module skips permission enforcement
Execution
Bypass access controls
Impact
Crash system service or access restricted resources

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the attacker's malicious card to be present and rendered on the HarmonyOS device - either via side-loading or a third-party card source - and (2) an active user interaction with that card (UI:R), such as tapping or triggering it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.6 (Medium) reflects a local-only attack vector (AV:L) with no privilege requirement (PR:N) but mandatory user interaction (UI:R), constraining the attack surface to on-device scenarios where a victim interacts with a malicious or compromised card. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor publishes a malicious HarmonyOS service card through a side-loaded application or a third-party card marketplace; when the device owner adds or interacts with this card on their home screen, the card module's permission enforcement is bypassed, allowing the attacker's card to trigger a high-availability-impact condition - such as crashing a system service - while also gaining limited read or write access to resources the card would not normally be permitted to access. No public exploit code has been identified at time of analysis.
Remediation Consult the Huawei July 2026 security bulletins directly at https://consumer.huawei.com/en/support/bulletin/2026/7/ (for phones and tablets) and https://consumer.huawei.com/en/support/bulletinlaptops/2026/7/ (for laptops) to identify the exact patched HarmonyOS version and apply the available OTA update. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-32991 CRITICAL
9.8 May 14

Permission verification vulnerability in the wpa_supplicant module Impact: Successful exploitation of this vulnerability

CVE-2023-46773 CRITICAL
9.8 Dec 06

Permission management vulnerability in the PMS module. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2023-44116 CRITICAL
9.8 Oct 11

Vulnerability of access permissions not being strictly verified in the APPWidget module.Successful exploitation of this

CVE-2023-44105 CRITICAL
9.8 Oct 11

Vulnerability of permissions not being strictly verified in the window management module.Successful exploitation of this

CVE-2023-44106 CRITICAL
9.8 Oct 11

API permission management vulnerability in the Fwk-Display module.Successful exploitation of this vulnerability may caus

CVE-2023-41297 CRITICAL
9.8 Sep 25

Vulnerability of defects introduced in the design process in the HiviewTunner module. Rated critical severity (CVSS 9.8)

CVE-2023-41294 CRITICAL
9.8 Sep 25

The DP module has a service hijacking vulnerability.Successful exploitation of this vulnerability may affect some Super

CVE-2023-39405 CRITICAL
9.8 Aug 13

Vulnerability of out-of-bounds parameter read/write in the Wi-Fi module. Rated critical severity (CVSS 9.8), this vulner

CVE-2023-37242 CRITICAL
9.8 Jul 06

Vulnerability of commands from the modem being intercepted in the atcmdserver module. Rated critical severity (CVSS 9.8)

CVE-2022-46327 CRITICAL
9.8 Dec 20

Some smartphones have configuration issues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab

CVE-2022-46326 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is r

CVE-2022-46325 CRITICAL
9.8 Dec 20

Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause syst

Share

EUVD-2026-44658 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy