CVE-2025-41432
Published: 16 March 2026
Summary
CVE-2025-41432 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Openatom Openharmony. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-41432 is an out-of-bounds write vulnerability (CWE-787) affecting OpenHarmony versions v5.1.0 and prior. It enables a local attacker to achieve arbitrary code execution within pre-installed applications, but exploitation is limited to restricted scenarios.
The vulnerability has a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating it requires local access, low privileges, and low attack complexity with no user interaction needed. A successful exploit allows the attacker to execute arbitrary code in the context of pre-installed apps, resulting in high confidentiality impact through potential unauthorized data access.
Mitigation details are available in the OpenHarmony security disclosure advisory at https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2025/2025-10.md. The vulnerability was published on 2026-03-16T14:17:58.693.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208679
Vulnerability details
in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local out-of-bounds write enables arbitrary code execution in pre-installed apps (client-side context).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Memory Protection directly blocks out-of-bounds writes that enable the arbitrary code execution in this CVE.
Least Privilege restricts the local attacker's ability to reach and exploit the vulnerable pre-installed apps.
Process Isolation limits the impact of code execution achieved via the out-of-bounds write to the compromised app context.