Cyber Posture

CVE-2025-68955

High

Published: 14 January 2026

Published
14 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score 8.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0001 0.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68955 is a high-severity Race Condition (CWE-362) vulnerability in Huawei Harmonyos. Its CVSS base score is 8.0 (High).

Operationally, ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the race condition vulnerability by requiring timely installation of Huawei's January 2026 patches for affected consumer devices.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Vulnerability scanning identifies systems running vulnerable versions of the card framework module prior to local exploitation.

SI-4 System Monitoring partial match
detect

System monitoring detects anomalous behavior or crashes in the card framework indicative of race condition exploitation affecting availability and integrity.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

NVD Description

Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability.

Deeper analysisAI

CVE-2025-68955 is a multi-thread race condition vulnerability, classified under CWE-362, in the card framework module. It was published on 2026-01-14T02:15:50.213 with a CVSS v3.1 base score of 8.0 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H). The vulnerability affects Huawei consumer devices, as indicated by security bulletins for general products, laptops, and wearables.

A local attacker can exploit this vulnerability with low complexity and no privileges or user interaction required. Successful exploitation may affect availability, with potential impacts including low confidentiality loss, high integrity compromise, and high availability disruption.

Huawei has issued security bulletins in January 2026 addressing this issue, available at consumer support pages for general products (https://consumer.huawei.com/en/support/bulletin/2026/1/), laptops (https://consumer.huawei.com/en/support/bulletinlaptops/2026/1/), and wearables (https://consumer.huawei.com/en/support/bulletinwearables/2026/1/). Practitioners should consult these for patch details and mitigation guidance.

Details

CWE(s)
CWE-362

Affected Products

huawei
harmonyos
6.0.0

CVEs Like This One

CVE-2025-68957Same product: Huawei Harmonyos
CVE-2025-68960Same product: Huawei Harmonyos
CVE-2026-34856Same product: Huawei Harmonyos
CVE-2025-68958Same product: Huawei Harmonyos
CVE-2025-68956Same product: Huawei Harmonyos
CVE-2026-34851Same product: Huawei Harmonyos
CVE-2024-58045Same product: Huawei Harmonyos
CVE-2026-24930Same product: Huawei Harmonyos
CVE-2024-56436Same product: Huawei Harmonyos
CVE-2024-56437Same product: Huawei Harmonyos

References