Description
in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps.
Published: 2026-05-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the web_webview component manifests as an out-of-bounds write that can be triggered by a remote attacker to execute arbitrary code when a pre-installed application is loaded. The vulnerability is identified as CWE‑787 and can compromise the confidentiality, integrity, and availability of the device. The official description does not specify authentication or privilege requirements; based on the description, it is inferred that no authentication or privilege is needed to exploit the issue, allowing a remote attacker to succeed once the vulnerable component is invoked.

Affected Systems

OpenHarmony 6.0 and earlier. All pre-installed applications shipped in these releases contain the vulnerable web_webview component and are therefore susceptible.

Risk and Exploitability

The CVSS score of 8.8 reflects high severity. EPSS is not provided, and the flaw is not listed in the CISA KEV catalog, so current exploitation probability is uncertain. Based on the description, a remote attacker can exploit the issue via the network by sending a malicious payload to the web view component of a pre‑installed app, leading to complete control of the affected device.

Generated by OpenCVE AI on May 19, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check whether the system is running OpenHarmony 6.0 or an earlier version; if so, apply the vendor patch once a patched release becomes available.
  • If no such patch exists, consider disabling exposed APIs or restricting execution of pre‑installed applications to mitigate the risk.
  • Apply network segmentation and enforce least privilege on pre‑installed applications, monitoring logs for anomalous activity.

Generated by OpenCVE AI on May 19, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Openharmony
Openharmony openharmony
Vendors & Products Openharmony
Openharmony openharmony

Tue, 19 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps.
Title web_webview has an out-of-bounds write vulnerability
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Openharmony Openharmony
cve-icon MITRE

Status: PUBLISHED

Assigner: OpenHarmony

Published:

Updated: 2026-05-19T02:58:59.055Z

Reserved: 2026-03-03T06:43:20.234Z

Link: CVE-2026-27648

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T04:16:28.563

Modified: 2026-05-19T04:16:28.563

Link: CVE-2026-27648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T05:00:11Z

Weaknesses