CVE-2024-56451

High

Published: 08 January 2025

Published

08 January 2025

Modified

13 January 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

EPSS Score 0.0008 24.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56451 is a high-severity Integer Overflow to Buffer Overflow (CWE-680) vulnerability in Huawei Harmonyos. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 Flaw Remediation directly addresses the integer overflow in the glTF model loader by requiring identification, testing, and deployment of patches as issued by Huawei.

SI-10 Information Input Validation good match

prevent

SI-10 Information Input Validation prevents exploitation by enforcing checks on glTF model inputs, such as integer sizes and offsets, to avoid overflows during loading.

SI-16 Memory Protection good match

prevent

SI-16 Memory Protection mitigates integer overflow consequences through safeguards like address space randomization and non-executable memory, reducing impacts on confidentiality and availability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Integer overflow in local 3D model parsing enables local privilege escalation from low-priv context to sensitive data access and DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Integer overflow vulnerability during glTF model loading in the 3D engine module Impact: Successful exploitation of this vulnerability may affect availability.

Deeper analysisAI

CVE-2024-56451 is an integer overflow vulnerability (CWE-190, CWE-680) during glTF model loading in the 3D engine module of Huawei software. Published on January 8, 2025, it carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H), rated as high severity.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation may lead to high confidentiality impact through unauthorized access to sensitive data, low integrity impact, and high availability impact such as denial of service.

Huawei has issued a security bulletin detailing mitigations and patches for this vulnerability, available at https://consumer.huawei.com/en/support/bulletin/2025/1/.

Details

CWE(s): CWE-680 CWE-190

Affected Products

huawei

harmonyos

5.0.0

CVEs Like This One

CVE-2025-68957Same product: Huawei Harmonyos

CVE-2025-68960Same product: Huawei Harmonyos

CVE-2024-56439Same product: Huawei Harmonyos

CVE-2025-68958Same product: Huawei Harmonyos

CVE-2026-24930Same product: Huawei Harmonyos

CVE-2025-68956Same product: Huawei Harmonyos

CVE-2025-68968Same product: Huawei Harmonyos

CVE-2026-24926Same product: Huawei Harmonyos

CVE-2024-57955Same product: Huawei Harmonyos

CVE-2024-57956Same product: Huawei Harmonyos

References

https://consumer.huawei.com/en/support/bulletin/2025/1/
Vendor Advisory · psirt@huawei.com