PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25110 OpenHarmony CVE debrief

A local denial-of-service vulnerability exists in OpenHarmony v6.0 and prior versions. The issue, classified as CWE-476 (NULL Pointer Dereference), allows a local attacker to cause a denial-of-service condition. The vulnerability has a CVSS 3.1 score of 3.3 (Low severity) with an attack vector of local access, low attack complexity, and low privileges required. No user interaction is needed for exploitation. The vulnerability was disclosed by OpenHarmony security team ([email protected]) and published in the May 2026 security disclosure. The NVD entry currently shows a status of 'Deferred'. No known exploitation in the wild or ransomware campaign use has been reported.

Vendor
OpenHarmony
Product
Unknown
CVSS
LOW 3.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

Organizations deploying OpenHarmony-based systems, IoT device manufacturers using OpenHarmony, and security teams managing embedded Linux/RTOS environments should monitor for patches.

Technical summary

The vulnerability stems from a NULL pointer dereference (CWE-476) in OpenHarmony v6.0 and earlier versions. A local attacker with low privileges can trigger the condition without user interaction, resulting in a denial-of-service. The attack requires local access and has low complexity, but impact is limited to availability (no confidentiality or integrity impact).

Defensive priority

routine

Recommended defensive actions

  • Apply security updates from OpenHarmony when available per the vendor security disclosure
  • Review local access controls to limit exposure to trusted users only
  • Monitor OpenHarmony security advisories for patch availability
  • Assess systems running OpenHarmony v6.0 or earlier for exposure

Evidence notes

Vulnerability disclosed via OpenHarmony security disclosure page on Gitcode. NVD status is 'Deferred'. CVSS vector confirms local attack vector with low privileges required.

Official resources

2026-05-19