Description
in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios.
Published: 2026-03-16
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Arbitrary Code Execution
Action: Apply Patch
AI Analysis

Impact

OpenHarmony's arkcompiler Ets runtime contains an out‑of‑bounds write that can be triggered by a local attacker, ultimately enabling arbitrary code execution within pre‑installed applications. The vulnerability is a classic buffer overflow flaw (CWE‑787) and allows the attacker to overwrite memory and run malicious code, potentially compromising system confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects OpenHarmony OS participants, specifically versions 5.0.3 and 5.1.0, as indicated by the CPE entries. Earlier releases may also be impacted, but only the listed versions are confirmed.

Risk and Exploitability

The CVSS score of 5.5 classifies the issue as medium severity. EPSS indicates a very low current exploitation probability (<1%), and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local attacker and is limited to restricted scenarios, as the description specifies that the out‑of‑bounds write can be exploited only in such contexts. The attack vector is therefore local; remote exploitation is not supported according to the available data.

Generated by OpenCVE AI on March 17, 2026 at 21:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenHarmony to a version with the patch that resolves the out‑of‑bounds write in arkcompiler_ets_runtime.
  • If a patch is not immediately available, disable or uninstall the vulnerable pre‑installed application(s) to mitigate the risk until an official fix is released.

Generated by OpenCVE AI on March 17, 2026 at 21:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Openatom
Openatom openharmony
CPEs cpe:2.3:o:openatom:openharmony:5.0.3:*:*:*:-:*:*:*
cpe:2.3:o:openatom:openharmony:5.1.0:*:*:*:-:*:*:*
Vendors & Products Openatom
Openatom openharmony

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Openharmony
Openharmony openharmony
Vendors & Products Openharmony
Openharmony openharmony

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios.
Title arkcompiler_ets_runtime has an out-of-bounds write vulnerability
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Openatom Openharmony
Openharmony Openharmony
cve-icon MITRE

Status: PUBLISHED

Assigner: OpenHarmony

Published:

Updated: 2026-03-16T17:23:59.634Z

Reserved: 2025-07-01T12:16:38.195Z

Link: CVE-2025-52458

cve-icon Vulnrichment

Updated: 2026-03-16T17:23:54.486Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:17:59.287

Modified: 2026-03-17T19:58:44.437

Link: CVE-2025-52458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:45:32Z

Weaknesses