Cyber Resilience

CVE-2024-56446

Medium

Published: 08 January 2025

Published
08 January 2025
Modified
13 January 2025
KEV Added
Patch
CVSS Score v3.1 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0008 23.9th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56446 is a medium-severity Use of Uninitialized Variable (CWE-457) vulnerability in Huawei Harmonyos. Its CVSS base score is 4.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).

Deeper analysis

CVE-2024-56446 is a vulnerability involving variables not being initialized in the notification module of Huawei consumer products. Published on January 8, 2025, it carries a CVSS v3.1 base score of 4.0 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and maps to CWE-457 (Use of Uninitialized Variable) and CWE-908 (Use of Uninitialized Resource). Successful exploitation impacts availability.

A local attacker can exploit this vulnerability with low complexity, no required privileges, and no user interaction. Exploitation disrupts availability, potentially leading to denial-of-service conditions in the affected notification module.

Huawei has published a support bulletin at https://consumer.huawei.com/en/support/bulletin/2025/1/ addressing this issue, which security practitioners should consult for mitigation details and available patches.

EU & UK References

Vulnerability details

Vulnerability of variables not being initialized in the notification module Impact: Successful exploitation of this vulnerability may affect availability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Uninitialized variable in local notification module directly enables application/system crash for availability impact via exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24925Same product: Huawei Harmonyos
CVE-2026-34851Same product: Huawei Harmonyos
CVE-2024-57962Same product: Huawei Harmonyos
CVE-2024-56437Same product: Huawei Harmonyos
CVE-2024-57956Same product: Huawei Harmonyos
CVE-2026-34856Same product: Huawei Harmonyos
CVE-2024-54121Same product: Huawei Harmonyos
CVE-2026-24921Same product: Huawei Harmonyos
CVE-2025-68960Same product: Huawei Harmonyos
CVE-2024-56438Same product: Huawei Harmonyos

Affected Assets

huawei
harmonyos
5.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, prioritization, and timely remediation of flaws like uninitialized variables through vendor patches.

prevent

Implements runtime memory protections such as ASLR and DEP to mitigate exploitation of uninitialized variable use leading to crashes or DoS.

prevent

Ensures errors from uninitialized variables in the notification module are handled gracefully without compromising system availability.

References