Description
in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps.
Published: 2026-05-19
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a race condition in the web_webview component that can be exploited by a remote attacker. When the race condition is triggered, the attacker can gain arbitrary code execution within the context of pre‑installed applications. This weakness corresponds to CWE‑364 and enables the attacker to take full control of the affected system by running arbitrary code.

Affected Systems

OpenHarmony products, specifically all releases 6.0 and earlier. Any pre-installed applications running web_webview on those versions are impacted.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high severity vulnerability. Because the EPSS score is not provided, the current probability of exploitation is unknown, but the lack of a KEV listing does not reduce concern. A remote attacker can trigger the race condition via web resources and gain code execution. There is no known public exploit yet, but the high severity plus lack of mitigation means the risk remains significant for systems still running affected versions.

Generated by OpenCVE AI on May 19, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenHarmony to version 6.1 or later, where the race condition has been fixed.
  • If upgrading immediately is not possible, restrict use of web_webview in pre‑installed applications by disabling background rendering or isolating app permissions.
  • Implement continuous monitoring for unexpected process execution or elevated privileges, and promptly investigate any anomalies.

Generated by OpenCVE AI on May 19, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Openharmony
Openharmony openharmony
Vendors & Products Openharmony
Openharmony openharmony

Tue, 19 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps.
Title web_webview has a Race Condition vulnerability
Weaknesses CWE-364
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

Openharmony Openharmony
cve-icon MITRE

Status: PUBLISHED

Assigner: OpenHarmony

Published:

Updated: 2026-05-19T02:58:50.812Z

Reserved: 2026-03-03T06:43:20.224Z

Link: CVE-2026-24792

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T04:16:27.907

Modified: 2026-05-19T04:16:27.907

Link: CVE-2026-24792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T04:30:25Z

Weaknesses