Description
in OpenHarmony v6.0 and prior versions allow a local attacker case DOS through missing release of memory.
Published: 2026-03-16
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

In OpenHarmony v6.0 and earlier, the system fails to release allocated memory under specific conditions, leading to a memory leak. This flaw, catalogued as CWE‑401, permits a local attacker to repeatedly trigger the leak, consuming system memory until processes become unresponsive, resulting in a denial of service. The vulnerability does not disclose data or allow code execution; its impact is confined to availability.

Affected Systems

The vulnerability affects all releases of OpenHarmony version 6.0 and any prior versions, as identified by the vendor identifiers OpenHarmony:OpenHarmony and the CPE string cpe:2.3:o:openatom:openharmony:*:*:*:*:-:*:*:*.

Risk and Exploitability

The CVSS score is 3.3, indicating low severity, while the EPSS score is below 1%, showing a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is local—an attacker must have local access to initiate the memory‑consuming operations. Because the flaw only causes a service interruption, the overall risk to confidentiality and integrity is none.

Generated by OpenCVE AI on March 17, 2026 at 17:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenHarmony to a version newer than 6.0 (e.g., the latest release).
  • If an upgrade is not immediately feasible, isolate the affected system from untrusted local users and monitor memory usage for anomalies.
  • Verify that the patch has been applied by consulting the vendor’s security advisory or the disclosed reference.

Generated by OpenCVE AI on March 17, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Openatom
Openatom openharmony
CPEs cpe:2.3:o:openatom:openharmony:*:*:*:*:-:*:*:*
Vendors & Products Openatom
Openatom openharmony

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Openharmony
Openharmony openharmony
Vendors & Products Openharmony
Openharmony openharmony

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description in OpenHarmony v6.0 and prior versions allow a local attacker case DOS through missing release of memory.
Title liteos_a has a missing release of memory vulnerability
Weaknesses CWE-401
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Openatom Openharmony
Openharmony Openharmony
cve-icon MITRE

Status: PUBLISHED

Assigner: OpenHarmony

Published:

Updated: 2026-03-16T17:33:21.403Z

Reserved: 2026-01-06T06:52:22.079Z

Link: CVE-2026-0639

cve-icon Vulnrichment

Updated: 2026-03-16T17:29:49.655Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:18:07.000

Modified: 2026-03-17T15:40:50.177

Link: CVE-2026-0639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:45:36Z

Weaknesses