CVE-2026-28733 OpenHarmony CVE debrief

Who should care

Organizations deploying OpenHarmony-based devices or systems, IoT security teams, embedded systems administrators, and security teams managing OpenHarmony infrastructure should prioritize this vulnerability due to the potential for local code execution on affected systems.

Technical summary

CVE-2026-28733 is a use-after-free vulnerability (CWE-416) affecting OpenHarmony version 6.0 and earlier. The flaw allows a local attacker with low privileges to execute arbitrary code. The vulnerability requires local access and low attack complexity, with no user interaction needed. The CVSS 3.1 score of 6.5 reflects medium severity, with changed scope and high availability impact. The issue was disclosed through OpenHarmony's security disclosure process on Gitcode.

Defensive priority

medium

Recommended defensive actions

• Apply security updates from OpenHarmony when available per vendor security disclosure
• Review and restrict local access to OpenHarmony systems to trusted users only
• Monitor OpenHarmony security advisories for patch availability
• Assess systems running OpenHarmony v6.0 or earlier for exposure
• Implement principle of least privilege for local user accounts

Evidence notes

The CVE description indicates local arbitrary code execution in OpenHarmony v6.0 and prior. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) shows local attack vector with high availability impact, though the description suggests code execution capability. The weakness is identified as CWE-416 (Use After Free). The vendor evidence points to Gitcode as a reference domain candidate. The NVD status is currently 'Deferred'.

Official resources