CVE-2026-28751 OpenHarmony CVE debrief

Who should care

Organizations running OpenHarmony v6.0 or earlier in production environments, particularly those with multi-user scenarios where local access cannot be fully restricted. System administrators responsible for OpenHarmony device fleet security should monitor for patch availability.

Technical summary

CVE-2026-28751 is a local denial-of-service vulnerability in OpenHarmony v6.0 and earlier. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) indicates a local attack with low complexity and privilege requirements, affecting availability only. The root cause is categorized as CWE-20 (Improper Input Validation). The vulnerability was disclosed on 19 May 2026 via official OpenHarmony security channels. NVD status is currently 'Deferred', indicating the entry may be awaiting additional analysis or vendor confirmation.

Defensive priority

low

Recommended defensive actions

• Review OpenHarmony security disclosure documentation for affected component details and patch availability
• Assess local access controls on OpenHarmony deployments to limit exposure
• Monitor OpenHarmony security advisories for updated patch status
• Apply security updates when released by OpenHarmony maintainers

Evidence notes

The vulnerability description indicates local attack vector (AV:L) with low attack complexity (AC:L) and low privileges required (PR:L), resulting in low availability impact (A:L). The official OpenHarmony security disclosure reference provides authoritative source documentation.

Official resources