CVE-2026-24915
Published: 06 February 2026
Summary
CVE-2026-24915 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.2 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-24915 is an out-of-bounds read vulnerability (CWE-125) in the media subsystem, published on 2026-02-06. It affects various Huawei consumer products, as detailed in the vendor's security bulletins for general consumer devices, laptops, vision products, and wearables.
The vulnerability has a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). A local attacker requires low complexity, no privileges, and no user interaction to exploit it. Successful exploitation impacts availability and confidentiality, enabling high-severity information disclosure.
Huawei has issued security advisories with details on the vulnerability at https://consumer.huawei.com/en/support/bulletin/2026/2/, https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/, https://consumer.huawei.com/en/support/bulletinvision/2026/2/, and https://consumer.huawei.com/en/support/bulletinwearables/2026/2/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5655
Vulnerability details
Out-of-bounds read issue in the media subsystem. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local out-of-bounds read enables unprivileged information disclosure from system memory/media subsystem, directly facilitating access to data on the local host.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Memory Protection directly blocks out-of-bounds reads in the media subsystem by enforcing bounds checks and address-space protections.
Information Input Validation prevents the malformed or oversized media data that triggers the out-of-bounds read.
Process Isolation limits the scope of a local out-of-bounds read so it cannot disclose confidential data across process boundaries.