PatchSiren cyber security CVE debrief
CVE-2026-25781 OpenHarmony CVE debrief
A local denial-of-service vulnerability in OpenHarmony v6.0 and earlier allows an attacker to cause a system crash that cannot be recovered without manual intervention. The vulnerability is classified as HIGH severity with a CVSS 3.1 score of 8.4. The attack requires local access with low privileges and no user interaction, but can affect resources beyond the vulnerable component's security scope. The underlying weakness is identified as CWE-787 (Out-of-bounds Write). The CVE was published on 2026-05-19 and is currently in 'Deferred' status in the NVD. No known exploitation in ransomware campaigns has been reported, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- OpenHarmony
- Product
- Unknown
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Organizations deploying OpenHarmony-based systems, particularly in embedded or IoT environments where manual recovery may be difficult; system administrators managing OpenHarmony v6.0 or earlier installations; security teams monitoring for local privilege escalation or denial-of-service conditions; and developers building on OpenHarmony who need to understand memory safety requirements in the platform.
Technical summary
This vulnerability stems from an out-of-bounds write (CWE-787) in OpenHarmony v6.0 and earlier versions. A local attacker with low privileges can trigger the condition without user interaction, resulting in a denial-of-service state that the system cannot automatically recover from. The changed scope (S:C) in the CVSS vector indicates the vulnerable component can affect resources beyond its security scope. While the CVSS vector shows no availability impact (A:N), the CVE description explicitly states unrecoverable DOS, suggesting the scoring may not fully capture the availability impact or reflects a specific assessment of the vulnerability's characteristics. The deferred NVD status indicates the entry may be awaiting additional analysis or vendor confirmation.
Defensive priority
HIGH
Recommended defensive actions
- Review OpenHarmony security advisory at the referenced Gitcode disclosure for specific affected components and patch information
- Apply security updates from OpenHarmony when available, prioritizing systems running v6.0 or earlier
- Implement principle of least privilege to limit local attacker access
- Monitor for anomalous local process behavior that could indicate exploitation attempts
- Verify integrity of system state after any unexpected crashes, as recovery may require manual intervention
- Review memory safety controls and sandboxing for components processing untrusted local input
Evidence notes
The CVE description indicates this is a local attack vector affecting OpenHarmony v6.0 and prior versions. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) shows local attack vector, low attack complexity, low privileges required, no user interaction, changed scope, high confidentiality and integrity impact, but notably no availability impact in the vector—despite the description stating DOS. This discrepancy may reflect scoring nuances or incomplete analysis. The weakness is CWE-787 (Out-of-bounds Write), suggesting memory corruption as the root cause. The vendor identification carries low confidence and requires review, as it is derived from reference domain analysis rather than explicit vendor attribution.
Official resources
-
CVE-2026-25781 CVE record
CVE.org
-
CVE-2026-25781 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
The vulnerability was disclosed through OpenHarmony's security disclosure process, with the advisory published on Gitcode. The NVD entry was published on 2026-05-19T04:16:28.280Z and last modified on 2026-05-19T14:25:04.340Z.