CVE-2025-0303

High

Published: 07 February 2025

Published

07 February 2025

Modified

11 February 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0007 22.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0303 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Openatom Openharmony. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-16 Memory Protection good match

prevent

Implements memory protections such as ASLR and DEP to directly prevent exploitation of the buffer overflow for privilege escalation and sensitive information leakage.

SI-10 Information Input Validation good match

prevent

Enforces input validation to block buffer overflows that enable local privilege escalation from common permissions to root in OpenHarmony.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the specific buffer overflow flaw in OpenHarmony v4.1.2 and prior versions.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE-2025-0303 is a kernel stack overflow vulnerability exploitable by local attackers to escalate privileges to root and leak sensitive information.

NVD Description

in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through buffer overflow.

Deeper analysisAI

CVE-2025-0303 is a buffer overflow vulnerability (CWE-120) in OpenHarmony versions v4.1.2 and prior. Published on 2025-02-07, it allows a local attacker to escalate common permissions to root privileges and leak sensitive information.

The vulnerability carries a CVSS v3.1 base score of 8.8 (High), with attack vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. A local attacker possessing low privileges can exploit it through low-complexity means without requiring user interaction, resulting in a scope change and high impacts across confidentiality, integrity, and availability, such as achieving root access and exposing sensitive data.

For details on mitigation, patches, and advisories, refer to the OpenHarmony security disclosure at https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-02.md.

Details

CWE(s): CWE-120

Affected Products

openatom

openharmony

4.1.0 — 4.1.2

CVEs Like This One

CVE-2025-20626Same product: Openatom Openharmony

CVE-2025-0587Same product: Openatom Openharmony

CVE-2025-24301Same product: Openatom Openharmony

CVE-2025-23409Same product: Openatom Openharmony

CVE-2025-22835Same product: Openatom Openharmony

CVE-2025-21084Same product: Openatom Openharmony

CVE-2025-20091Same product: Openatom Openharmony

CVE-2025-23414Same product: Openatom Openharmony

CVE-2025-23420Same product: Openatom Openharmony

CVE-2025-23240Same product: Openatom Openharmony

References

https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-02.md
Third Party Advisory · scy@openharmony.io