CVE-2025-0304
Published: 07 February 2025
Summary
CVE-2025-0304 is a high-severity Use After Free (CWE-416) vulnerability in Openatom Openharmony. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-0304 is a use-after-free vulnerability (CWE-416) present in OpenHarmony versions 4.1.2 and prior. The flaw enables a local attacker to upgrade common permissions to root level and leak sensitive information.
The vulnerability can be exploited by a local attacker who has low privileges (PR:L). Exploitation requires low attack complexity (AC:L) and no user interaction (UI:N), but changes scope (S:C) to achieve high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 8.8.
Mitigation details are available in the OpenHarmony security advisory at https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-02.md. The CVE was published on 2025-02-07.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1594
Vulnerability details
in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through use after free.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free vulnerability directly enables local privilege escalation from low-privileged user to root on OpenHarmony.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Implements memory protection safeguards that directly mitigate use-after-free vulnerabilities by preventing unauthorized access to freed memory.
Requires timely identification, reporting, and patching of the specific use-after-free flaw in OpenHarmony to eliminate the vulnerability.
Enforces least privilege to restrict the scope of privilege escalation from common permissions to root even if the UAF is partially exploited.