Cyber Posture

CVE-2026-24915

Medium

Published: 06 February 2026

Published
06 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0000 0.1th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24915 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Local out-of-bounds read enables unprivileged information disclosure from system memory/media subsystem, directly facilitating access to data on the local host.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Out-of-bounds read issue in the media subsystem. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

Deeper analysisAI

CVE-2026-24915 is an out-of-bounds read vulnerability (CWE-125) in the media subsystem, published on 2026-02-06. It affects various Huawei consumer products, as detailed in the vendor's security bulletins for general consumer devices, laptops, vision products, and wearables.

The vulnerability has a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). A local attacker requires low complexity, no privileges, and no user interaction to exploit it. Successful exploitation impacts availability and confidentiality, enabling high-severity information disclosure.

Huawei has issued security advisories with details on the vulnerability at https://consumer.huawei.com/en/support/bulletin/2026/2/, https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/, https://consumer.huawei.com/en/support/bulletinvision/2026/2/, and https://consumer.huawei.com/en/support/bulletinwearables/2026/2/.

Details

CWE(s)
CWE-125

Affected Products

huawei
harmonyos
5.1.0, 5.1.1, 6.0.0

CVEs Like This One

CVE-2026-24921Same product: Huawei Harmonyos
CVE-2024-56443Same product: Huawei Harmonyos
CVE-2024-56435Same product: Huawei Harmonyos
CVE-2024-57954Same product: Huawei Harmonyos
CVE-2024-57956Same product: Huawei Harmonyos
CVE-2024-56444Same product: Huawei Harmonyos
CVE-2024-56436Same product: Huawei Harmonyos
CVE-2024-57962Same product: Huawei Harmonyos
CVE-2025-68955Same product: Huawei Harmonyos
CVE-2026-28536Same product: Huawei Harmonyos

References