A race condition in the multimedia audio framework of OpenHarmony allows a local attacker to read sensitive data that should be protected. The flaw, identified as CWE‑364, arises when concurrent operations access shared data without proper synchronization, causing corruption or unintended data exposure. The impact is that any user or process running on the device can leak internal information, potentially including credentials or private media content, as the vulnerability permits reading of data that the framework should guard.

The vulnerability affects all OpenHarmony releases up to and including version 6.0. Users deploying OpenHarmony 6.0 or earlier on devices that provide local access to the multimedia audio framework are susceptible. The flaw is not specific to a particular hardware model but applies to the framework as shipped in those OS releases.

The CVSS score of 5.5 indicates moderate severity, primarily due to the local nature of the exploit. EPSS scoring is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers need local device access and the ability to run code with the same privileges as the targeted multimedia service; no remote network vector is documented. Exploitation would involve inducing a race condition by executing competing operations, then reading the leaked data from the intermediate state.