PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-24792 OpenHarmony CVE debrief

A high-severity vulnerability in OpenHarmony v6.0 and prior versions allows remote attackers to execute arbitrary code in pre-installed applications. The vulnerability, published on May 19, 2026, carries a CVSS 3.1 score of 8.1 (HIGH) with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. The attack requires low privileges and no user interaction, with network-based exploitation possible. The underlying weakness is categorized as CWE-364. The NVD currently lists this CVE with a status of 'Deferred'. OpenHarmony has disclosed this issue through their security disclosure process.

Vendor
OpenHarmony
Product
Unknown
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

Organizations deploying OpenHarmony-based devices, IoT security teams, mobile device management administrators, and supply chain security assessors evaluating embedded operating systems.

Technical summary

CVE-2026-24792 affects OpenHarmony v6.0 and earlier, enabling remote attackers with low privileges to execute arbitrary code within pre-installed applications without user interaction. The vulnerability has high impact on confidentiality and availability per CVSS scoring. The root cause relates to weakness CWE-364. As of publication, NVD has deferred analysis of this entry. OpenHarmony's security disclosure process has documented this issue in their 2026-04 security bulletin.

Defensive priority

HIGH

Recommended defensive actions

  • Review OpenHarmony security disclosure 2026-04 for patch availability and affected component details
  • Assess pre-installed application inventory on OpenHarmony v6.0 and prior deployments
  • Apply security updates from OpenHarmony project when available
  • Monitor NVD for status change from Deferred to Analyzed
  • Implement network segmentation to limit exposure of OpenHarmony devices to untrusted networks

Evidence notes

CVE published 2026-05-19T04:16:27.907Z; modified 2026-05-19T14:25:04.340Z. CVSS 8.1 HIGH. NVD status: Deferred. Weakness: CWE-364. Vendor evidence points to OpenHarmony via Gitcode security disclosure reference.

Official resources

2026-05-19