Description
Race condition vulnerability in the permission management service. Impact: Successful exploitation of this vulnerability may affect availability.
Published: 2026-03-05
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Availability
Action: Patch Now
AI Analysis

Impact

A race condition flaw exists within the permission management service of HarmonyOS, allowing an attacker to manipulate concurrent access patterns. Successful exploitation may lead to a denial of service by causing the service to crash or become unresponsive, thereby impacting system availability. The vulnerability is associated with CWE‑362, which denotes a concurrency‑related flaw.

Affected Systems

The flaw affects Huawei HarmonyOS version 6.0.0. No other vendors or versions are listed in the public advisory. Devices running this operating system version are potentially exposed to the issue.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, while the EPSS score of less than 1% shows that known attacks are currently rare. HarmonyOS is not listed in CISA’s KEV catalog, suggesting no publicly reported exploitation has been documented. The attack vector is inferred to require an attacker with some level of local or privileged access due to the involvement of the system’s permission service. Considering the low current exploitation probability, the risk is moderate but the impact on availability warrants prompt remediation.

Generated by OpenCVE AI on April 15, 2026 at 16:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HarmonyOS firmware update that includes the permission service fix
  • If a firmware rollback or update is not yet available, configure the device to run the permission management service in a restricted or isolated mode, limiting external interaction
  • Continuously monitor system logs for abnormal permission service activity and perform regular integrity checks to detect any unintended restarts or crashes

Generated by OpenCVE AI on April 15, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Title Race Condition in Permission Management Service Leading to Denial of Service

Thu, 05 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Huawei
Huawei harmonyos
CPEs cpe:2.3:o:huawei:harmonyos:6.0.0:*:*:*:*:*:*:*
Vendors & Products Huawei
Huawei harmonyos

Thu, 05 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description Race condition vulnerability in the permission management service. Impact: Successful exploitation of this vulnerability may affect availability.
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}

Subscriptions

Huawei Harmonyos
cve-icon MITRE

Status: PUBLISHED

Assigner: huawei

Published:

Updated: 2026-04-13T06:01:05.840Z

Reserved: 2026-02-28T03:58:12.088Z

Link: CVE-2026-28549

cve-icon Vulnrichment

Updated: 2026-03-05T14:52:23.782Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T09:16:11.740

Modified: 2026-03-05T21:43:23.040

Link: CVE-2026-28549

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses