Description
in OpenHarmony v5.0.3 and prior versions allow a local attacker case sensitive information leak through use of uninitialized resource.
Published: 2026-03-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Information Leak
Action: Patch
AI Analysis

Impact

The vulnerability in OpenHarmony v5.0.3 and earlier arises from insecure storage of sensitive information due to an uninitialized resource, allowing a local attacker to read confidential data. This weakness is categorized as CWE-908, signaling improper handling of sensitive data. The impact is the exposure of sensitive information to any user or process with local access, potentially compromising confidentiality. No evidence of remote exploitation or denial of service is provided. The likely attack vector is local.

Affected Systems

OpenHarmony v5.0.3 and prior versions are affected. The CPE entry indicates openatom:openharmony:5.0.3.*; thus any release up to and including 5.0.3 may contain the flaw. Users running these versions should confirm whether their installation includes the uninitialized resource that leaks data. The specific affected components are not enumerated beyond the OpenHarmony operating system itself.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity. The EPSS score of less than 1% signifies a very low overall probability of exploitation at the system level. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access to the device; a remote attacker cannot trigger the data leak based on the provided information. Because it relies on local privileges, mitigations that restrict local users or enforce strict access controls reduce risk.

Generated by OpenCVE AI on March 17, 2026 at 16:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an OpenHarmony update that removes the uninitialized resource causing the leak; upgrade to a version newer than 5.0.3 where the vulnerability is fixed.
  • Verify that the installed OpenHarmony build has the security patch applied by checking release notes or version strings.

Generated by OpenCVE AI on March 17, 2026 at 16:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Openatom
Openatom openharmony
CPEs cpe:2.3:o:openatom:openharmony:5.0.3:*:*:*:-:*:*:*
Vendors & Products Openatom
Openatom openharmony

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Openharmony
Openharmony openharmony
Vendors & Products Openharmony
Openharmony openharmony

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description in OpenHarmony v5.0.3 and prior versions allow a local attacker case sensitive information leak through use of uninitialized resource.
Title multimedia_audio_standard has an insecure storage of sensitive information vulnerability
Weaknesses CWE-908
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Openatom Openharmony
Openharmony Openharmony
cve-icon MITRE

Status: PUBLISHED

Assigner: OpenHarmony

Published:

Updated: 2026-03-16T17:28:06.877Z

Reserved: 2025-11-05T02:45:04.394Z

Link: CVE-2025-12736

cve-icon Vulnrichment

Updated: 2026-03-16T17:27:56.583Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:17:54.323

Modified: 2026-03-17T15:40:33.853

Link: CVE-2025-12736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:45:35Z

Weaknesses