PatchSiren cyber security CVE debrief
CVE-2026-27648 OpenHarmony CVE debrief
A remote code execution vulnerability in OpenHarmony v6.0 and prior versions allows attackers to execute arbitrary code in pre-installed applications. The vulnerability is classified as CWE-787 (Out-of-bounds Write) with a CVSS 3.1 score of 8.8 (HIGH severity). The attack vector is network-based with low attack complexity, requiring low privileges but no user interaction. The vulnerability was disclosed by OpenHarmony security team and published in the NVD on May 19, 2026. The NVD entry currently shows a status of 'Deferred', indicating the record may be awaiting additional analysis or vendor coordination. Organizations using OpenHarmony v6.0 or earlier should monitor for security updates from the OpenHarmony project.
- Vendor
- OpenHarmony
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Organizations deploying OpenHarmony-based devices, IoT manufacturers using OpenHarmony, mobile device management teams, and security teams responsible for embedded/mobile operating system security.
Technical summary
The vulnerability exists in OpenHarmony v6.0 and earlier versions, specifically affecting pre-installed applications. The out-of-bounds write weakness (CWE-787) can be exploited remotely by an attacker with low privileges to achieve arbitrary code execution. The network-based attack vector with low complexity and no required user interaction makes this vulnerability particularly dangerous. Successful exploitation grants high impact across confidentiality, integrity, and availability dimensions.
Defensive priority
HIGH
Recommended defensive actions
- Monitor OpenHarmony security advisories for patch availability
- Review pre-installed application permissions and network exposure
- Apply security updates when released by OpenHarmony project
- Consider network segmentation for OpenHarmony-based devices until patched
Evidence notes
CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CWE-787 (Out-of-bounds Write) identified as the primary weakness. Affected versions explicitly stated as OpenHarmony v6.0 and prior.
Official resources
-
CVE-2026-27648 CVE record
CVE.org
-
CVE-2026-27648 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
The vulnerability was disclosed by the OpenHarmony security team and published to NVD on May 19, 2026. The NVD record status is currently 'Deferred', suggesting ongoing analysis or vendor coordination.