OpenHarmony versions 5.1.0 and earlier contain an out‑of‑bounds write in the arkcompiler_ets_runtime component that can be abused to execute arbitrary code within pre‑installed applications. The flaw is a classic buffer overflow (CWE‑787) and the affected code path can be triggered by a local attacker – the attack does not require remote network access. The potential impact is the execution of malicious code with the privileges of the compromised application, which could compromise system confidentiality, integrity, or availability if the application runs with elevated privileges.

Affected systems are OpenHarmony builds 5.1.0, 5.0.3 and any earlier releases that meet the same code snapshot. The CPE strings list the products as openatom:openharmony:5.0.3 and openatom:openharmony:5.1.0, indicating that any instance of these versions, whether pre‑installed on consumer devices or embedded in custom appliances, is vulnerable.

The CVSS score of 5.5 classifies the vulnerability as moderate severity. EPSS is reported as less than 1%, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because it requires only local access and can allow code execution, the risk is increased when devices are used by untrusted users or in insecure workspaces. The vulnerability can be exploited only in restricted scenarios, so the attack vector is not widely available but still represents a serious local privilege escalation risk.