Description
UAF concurrency vulnerability in the graphics module.
Impact: Successful exploitation of this vulnerability may affect availability.
Published: 2026-02-06
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free caused by a race condition in HarmonyOS' graphics subsystem. When concurrent requests process shared graphics resources, an attacker can trigger a memory misuse that leads to a crash. The consequence is loss of service for the affected device or application, as the graphics module terminates unexpectedly. This results in an availability loss rather than confidentiality or integrity breaches.

Affected Systems

Huawei HarmonyOS versions 5.1.0 and 6.0.0 are affected, as indicated by the vendor's advisory and the specified CPE entries. All devices running these operating system releases, including consumer smartphones and laptops, may be vulnerable.

Risk and Exploitability

The CVSS base score of 8.4 classifies the flaw as high severity. The EPSS rating of less than 1% suggests a low likelihood of exploitation in the wild at present, and the vulnerability is not listed in CISA's KEV catalog. Because the description does not specify the required privileges or remote interaction, the most reasonable assumption is that an attacker could exercise the flaw by supplying malicious graphics data that the OS will process, such as an image file or media stream; thus the vector is likely local or remote through content ingestion. Regardless, a successful exploit would cause a denial of service that could affect a single user or the broader system depending on how the graphics module is integrated.

Generated by OpenCVE AI on April 17, 2026 at 22:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Huawei's official patch by upgrading HarmonyOS to the latest release that fixes the graphics UAF flaw.
  • Restart the device or restart the graphics subsystem to clear any crashed state after patching.
  • Limit or sanitize untrusted graphics content until a patch is available; disable external graphic file loading if possible.

Generated by OpenCVE AI on April 17, 2026 at 22:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
Title Untrusted Resource Use After Free in HarmonyOS Graphics Module Causing Denial of Service

Mon, 09 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:huawei:harmonyos:5.1.0:*:*:*:*:*:*:*
cpe:2.3:o:huawei:harmonyos:6.0.0:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Huawei
Huawei harmonyos
Vendors & Products Huawei
Huawei harmonyos

Fri, 06 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description UAF concurrency vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability.
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Huawei Harmonyos
cve-icon MITRE

Status: PUBLISHED

Assigner: huawei

Published:

Updated: 2026-02-06T16:34:04.705Z

Reserved: 2026-01-28T06:05:05.257Z

Link: CVE-2026-24930

cve-icon Vulnrichment

Updated: 2026-02-06T16:33:58.957Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T09:15:51.480

Modified: 2026-02-09T19:05:44.287

Link: CVE-2026-24930

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:00:12Z

Weaknesses