{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34857", "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "state": "PUBLISHED", "assignerShortName": "huawei", "dateReserved": "2026-03-31T01:11:13.701Z", "datePublished": "2026-04-13T04:05:08.412Z", "dateUpdated": "2026-04-13T14:49:42.067Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei", "dateUpdated": "2026-04-13T04:05:08.412Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-362", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "affected": [{"vendor": "Huawei", "product": "HarmonyOS", "versions": [{"status": "affected", "version": "6.0.0"}, {"status": "affected", "version": "5.1.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "UAF vulnerability in the communication module.\nImpact: Successful exploitation of this vulnerability may affect availability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "UAF vulnerability in the communication module.<br>Impact: Successful exploitation of this vulnerability may affect availability."}]}], "references": [{"url": "https://consumer.huawei.com/en/support/bulletin/2026/4/"}, {"url": "https://consumer.huawei.com/en/support/bulletinvision/2026/4/"}, {"url": "https://consumer.huawei.com/en/support/bulletinwearables/2026/4/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T14:49:34.730624Z", "id": "CVE-2026-34857", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T14:49:42.067Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34857", "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "state": "PUBLISHED", "assignerShortName": "huawei", "dateReserved": "2026-03-31T01:11:13.701Z", "datePublished": "2026-04-13T04:05:08.412Z", "dateUpdated": "2026-04-13T14:49:42.067Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei", "dateUpdated": "2026-04-13T04:05:08.412Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-362", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "affected": [{"vendor": "Huawei", "product": "HarmonyOS", "versions": [{"status": "affected", "version": "6.0.0"}, {"status": "affected", "version": "5.1.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "UAF vulnerability in the communication module.\nImpact: Successful exploitation of this vulnerability may affect availability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "UAF vulnerability in the communication module.<br>Impact: Successful exploitation of this vulnerability may affect availability."}]}], "references": [{"url": "https://consumer.huawei.com/en/support/bulletin/2026/4/"}, {"url": "https://consumer.huawei.com/en/support/bulletinvision/2026/4/"}, {"url": "https://consumer.huawei.com/en/support/bulletinwearables/2026/4/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T14:49:34.730624Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T14:49:38.808Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "UAF vulnerability in the communication module.\nImpact: Successful exploitation of this vulnerability may affect availability."}], "id": "CVE-2026-34857", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 4.2, "source": "psirt@huawei.com", "type": "Secondary"}]}, "published": "2026-04-13T05:16:03.520", "references": [{"source": "psirt@huawei.com", "url": "https://consumer.huawei.com/en/support/bulletin/2026/4/"}, {"source": "psirt@huawei.com", "url": "https://consumer.huawei.com/en/support/bulletinvision/2026/4/"}, {"source": "psirt@huawei.com", "url": "https://consumer.huawei.com/en/support/bulletinwearables/2026/4/"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "psirt@huawei.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "HarmonyOS", "source": "cna", "vendor": "Huawei"}, "product": "harmonyos", "vendor": "huawei"}], "analysis": {"en": {"generated_at": "2026-04-13T06:53:54.592978+00:00", "value": {"mitigation_remediation": ["Check the device\u2019s HarmonyOS version against the vendor\u2019s bulletin links to confirm whether it is affected.", "Apply the latest HarmonyOS patch or firmware update that addresses the communication module flaw as soon as it becomes available.", "If no patch is yet released, monitor the device for service disruptions and consider restricting network access or isolating the device from critical infrastructure until a fix is issued."], "summary": {"action": "Update Patch", "impact": "Availability disruption"}, "threat_synthesis": {"affected_systems": "Huawei HarmonyOS is the known affected product family. No specific version numbers are listed in the advisory, so any device or application running an unspecified HarmonyOS build could be vulnerable.", "description_and_impact": "The flaw is a use\u2011after\u2011free (CWE\u2011362) located in the communication module of Huawei HarmonyOS. When an attacker can trigger the fault, the system may crash or otherwise stop responding, resulting in a denial of service. The vendor specifically notes that successful exploitation may affect availability, indicating that the primary consequence is interruption rather than data compromise.", "risk_and_exploitability": "The CVSS base score of 4.7 reflects moderate severity, and the vulnerability is not listed in the CISA KEV catalog. EPSS data is not available, so the exact likelihood of exploitation is indeterminate. Based on the description, it is inferred that the attack vector could be local if the communication module is exposed through a user\u2011controlled interface, or remote if the module is reachable over a network. The risk is moderate, but the impact on availability can be significant, especially for critical services."}}}}, "created": "2026-04-13T12:37:31.019865+00:00", "title": "Use\u2011After\u2011Free Vulnerability in HarmonyOS Communication Module Causing Availability Issues", "updated": "2026-04-13T12:53:19.025642+00:00", "vendors": ["huawei", "huawei$PRODUCT$harmonyos"]}