PatchSiren cyber security CVE debrief
CVE-2026-25850 OpenHarmony CVE debrief
A local information disclosure vulnerability exists in OpenHarmony v6.0 and prior versions. The flaw allows a local attacker to cause information leakage. The vulnerability is classified as CWE-281 (Improper Preservation of Permissions) and carries a CVSS 3.1 score of 5.5 (MEDIUM severity). The attack vector is local with low attack complexity, requiring low privileges but no user interaction. The confidentiality impact is rated HIGH while integrity and availability impacts are NONE. The CVE was published on 2026-05-19 and subsequently modified the same day. The vulnerability status in NVD is currently 'Deferred'. OpenHarmony has published a security disclosure for May 2026 that contains additional details. No known exploitation in the wild or ransomware campaign use has been reported.
- Vendor
- OpenHarmony
- Product
- Unknown
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Organizations running OpenHarmony v6.0 or earlier in production environments, particularly those with multi-user scenarios or concerns about local privilege boundaries. System administrators managing OpenHarmony deployments and security teams tracking mobile/IoT operating system vulnerabilities.
Technical summary
The vulnerability exists in OpenHarmony v6.0 and prior versions due to improper preservation of permissions (CWE-281). A local attacker with low privileges can exploit this flaw to cause information leakage. The attack requires local access and low privileges but no user interaction. The high confidentiality impact indicates sensitive information may be exposed to unauthorized local users. The vulnerability does not affect integrity or availability.
Defensive priority
medium
Recommended defensive actions
- Review OpenHarmony security disclosure for May 2026 to obtain detailed technical information about affected components and patches
- Assess local access controls on OpenHarmony deployments to limit exposure to authenticated users
- Monitor OpenHarmony security advisories for patch availability and apply updates when released
- Review permission preservation mechanisms in custom OpenHarmony builds for similar weaknesses
- Audit systems for unauthorized local access that could facilitate information disclosure attacks
Evidence notes
Vulnerability confirmed through official NVD record with CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. CWE-281 (Improper Preservation of Permissions) identified as the weakness type. Source reference from OpenHarmony security disclosure repository on Gitcode.
Official resources
-
CVE-2026-25850 CVE record
CVE.org
-
CVE-2026-25850 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-19