CVE-2025-68958

High

Published: 14 January 2026

Published

14 January 2026

Modified

15 January 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

EPSS Score 0.0000 0.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68958 is a high-severity Race Condition (CWE-362) vulnerability in Huawei Harmonyos. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the multi-thread race condition vulnerability in the card framework module by applying Huawei patches, preventing exploitation and impacts to confidentiality, integrity, and availability.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Scans for and remediates the specific CVE-2025-68958 race condition vulnerability, enabling proactive identification and correction before local exploitation.

SC-5 Denial-of-service Protection partial match

prevent

Limits the high availability impact and potential denial-of-service effects from successful local exploitation of the race condition.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local unauthenticated race condition (CWE-362) with high integrity/availability impact enables exploitation of software flaws to escalate privileges on the host.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability.

Deeper analysisAI

CVE-2025-68958 is a multi-thread race condition vulnerability, classified under CWE-362, in the card framework module. Published on 2026-01-14, it affects Huawei consumer products and carries a CVSS v3.1 base score of 8.0 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H). Successful exploitation may affect availability.

A local attacker can exploit this vulnerability with low attack complexity, no required privileges, and no user interaction. Exploitation can lead to low confidentiality impact, high integrity impact, and high availability impact.

Huawei has issued security bulletins for this vulnerability, available on their consumer support pages for general products, laptops, and wearables dated January 2026.

Details

CWE(s): CWE-362

Affected Products

huawei

harmonyos

6.0.0

CVEs Like This One

CVE-2025-68957Same product: Huawei Harmonyos

CVE-2025-68960Same product: Huawei Harmonyos

CVE-2025-68956Same product: Huawei Harmonyos

CVE-2026-24930Same product: Huawei Harmonyos

CVE-2025-68955Same product: Huawei Harmonyos

CVE-2026-34856Same product: Huawei Harmonyos

CVE-2024-56439Same product: Huawei Harmonyos

CVE-2024-56451Same product: Huawei Harmonyos

CVE-2026-34851Same product: Huawei Harmonyos

CVE-2025-68968Same product: Huawei Harmonyos

References

https://consumer.huawei.com/en/support/bulletin/2026/1//
Vendor Advisory · psirt@huawei.com
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
Vendor Advisory · psirt@huawei.com
https://consumer.huawei.com/en/support/bulletinwearables/2026/1/
Vendor Advisory · psirt@huawei.com