Cyber Resilience

CVE-2026-24915

Medium

Published: 06 February 2026

Published
06 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0000 0.1th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24915 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-24915 is an out-of-bounds read vulnerability (CWE-125) in the media subsystem, published on 2026-02-06. It affects various Huawei consumer products, as detailed in the vendor's security bulletins for general consumer devices, laptops, vision products, and wearables.

The vulnerability has a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). A local attacker requires low complexity, no privileges, and no user interaction to exploit it. Successful exploitation impacts availability and confidentiality, enabling high-severity information disclosure.

Huawei has issued security advisories with details on the vulnerability at https://consumer.huawei.com/en/support/bulletin/2026/2/, https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/, https://consumer.huawei.com/en/support/bulletinvision/2026/2/, and https://consumer.huawei.com/en/support/bulletinwearables/2026/2/.

EU & UK References

Vulnerability details

Out-of-bounds read issue in the media subsystem. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Local out-of-bounds read enables unprivileged information disclosure from system memory/media subsystem, directly facilitating access to data on the local host.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24921Same product: Huawei Harmonyos
CVE-2024-56443Same product: Huawei Harmonyos
CVE-2024-12602Same product: Huawei Harmonyos
CVE-2024-56435Same product: Huawei Harmonyos
CVE-2024-57954Same product: Huawei Harmonyos
CVE-2024-57956Same product: Huawei Harmonyos
CVE-2024-56444Same product: Huawei Harmonyos
CVE-2025-68968Same product: Huawei Harmonyos
CVE-2024-57957Same product: Huawei Harmonyos
CVE-2025-68958Same product: Huawei Harmonyos

Affected Assets

huawei
harmonyos
5.1.0, 5.1.1, 6.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Memory Protection directly blocks out-of-bounds reads in the media subsystem by enforcing bounds checks and address-space protections.

prevent

Information Input Validation prevents the malformed or oversized media data that triggers the out-of-bounds read.

prevent

Process Isolation limits the scope of a local out-of-bounds read so it cannot disclose confidential data across process boundaries.

References