Cyber Resilience

CVE-2024-36260

High

Published: 02 July 2024

Published
02 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
EPSS Score 0.0196 83.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36260 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Openatom Openharmony. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 16.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds write.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Remote out-of-bounds write vulnerability in OpenHarmony Ark eTS runtime enables arbitrary code execution in pre-installed/arbitrary apps, facilitating exploitation of remote services (T1210) and privilege escalation via exploitation (T1068).

Affected Assets

openatom
openharmony
≤ 4.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References