Description
UAF vulnerability in the security module.
Impact: Successful exploitation of this vulnerability may affect availability.
Published: 2026-02-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Availability
Action: Patch Now
AI Analysis

Impact

A use‑after‑free vulnerability exists in the security module of Huawei EMUI and HarmonyOS. The flaw exposes memory after it has been freed, allowing an attacker to manipulate the application or system state once the compromised memory is reused. The consequence is primarily an availability impact, where privileged functions could be disturbed or the system could become unstable or crash. The weakness is identified as CWE-416.

Affected Systems

Affected vendors and products include Huawei EMUI versions 13.0.0, 14.0.0, 14.2.0 and 15.0.0, as well as Huawei HarmonyOS versions 3.1.0, 4.0.0, 4.2.0 and 4.3.0. These are the devices for which the lack of the security module fix is documented.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score is less than 1%, suggesting that exploitation is currently rare. The vulnerability is not listed in CISA’s KEV catalog, which reduces the likelihood of publicly known attacks. Given that the flaw lies in a system‑level security module, the attack vector is likely local device exploitation with privileged access, although if the module is exposed via remote interfaces it could potentially be triggered from outside. The exploit would require manipulating memory allocations or forcing the module to dereference freed pointers, which in turn could lead to corruption or crashes.

Generated by OpenCVE AI on April 18, 2026 at 13:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and apply the latest official firmware update for the affected Huawei EMUI and HarmonyOS versions from the vendor's support portal.
  • Disable all non‑essential remote management interfaces (e.g., OTA updates, ADB, or remote debugging) to reduce exposure.
  • Continuously monitor system logs for signs of memory corruption or crashes and apply new patches as they are released.

Generated by OpenCVE AI on April 18, 2026 at 13:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Title Use After Free in Huawei EMUI/HarmonyOS Security Module

Tue, 10 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Huawei
Huawei emui
Huawei harmonyos
CPEs cpe:2.3:o:huawei:emui:13.0.0:*:*:*:*:*:*:*
cpe:2.3:o:huawei:emui:14.0.0:*:*:*:*:*:*:*
cpe:2.3:o:huawei:emui:14.2.0:*:*:*:*:*:*:*
cpe:2.3:o:huawei:emui:15.0.0:*:*:*:*:*:*:*
cpe:2.3:o:huawei:harmonyos:3.1.0:*:*:*:*:*:*:*
cpe:2.3:o:huawei:harmonyos:4.0.0:*:*:*:*:*:*:*
cpe:2.3:o:huawei:harmonyos:4.2.0:*:*:*:*:*:*:*
cpe:2.3:o:huawei:harmonyos:4.3.0:*:*:*:*:*:*:*
Vendors & Products Huawei
Huawei emui
Huawei harmonyos

Fri, 06 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
Description UAF vulnerability in the security module. Impact: Successful exploitation of this vulnerability may affect availability.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H'}

Subscriptions

Huawei Emui Harmonyos
cve-icon MITRE

Status: PUBLISHED

Assigner: huawei

Published:

Updated: 2026-02-06T16:27:30.983Z

Reserved: 2026-01-28T06:05:05.256Z

Link: CVE-2026-24917

cve-icon Vulnrichment

Updated: 2026-02-06T16:27:22.207Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T09:15:49.950

Modified: 2026-02-10T17:57:51.640

Link: CVE-2026-24917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses