CVE-2026-24921

Medium

Published: 06 February 2026

Published

06 February 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 4.8 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:H

EPSS Score 0.0001 0.6th percentile

Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24921 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Huawei Harmonyos. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

OOB read enables local memory disclosure (T1005 Data from Local System) and application/system crash for DoS (T1499.004 Application or System Exploitation); PR:H and UI:R limit direct applicability to escalation or remote techniques.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Address read vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

Deeper analysisAI

CVE-2026-24921 is an address read vulnerability in the HDC module, corresponding to CWE-125 (Out-of-bounds Read). It affects Huawei consumer products, including laptops and wearables, as indicated by the vendor's security bulletins. The vulnerability was published on 2026-02-06T09:15:50.583 and carries a CVSS v3.1 base score of 4.8 (AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:H), reflecting medium severity with impacts on confidentiality and availability.

Exploitation requires local access to the affected system, low attack complexity, high privileges (PR:H), and user interaction (UI:R), with no scope change. A successful attack can result in low-impact disclosure of confidential information alongside high-impact disruption to availability, such as denial of service.

Huawei has published security bulletins addressing this vulnerability, available at https://consumer.huawei.com/en/support/bulletin/2026/2/, https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/, and https://consumer.huawei.com/en/support/bulletinwearables/2026/2/, which likely detail patches or mitigations for affected consumer products, laptops, and wearables.

Details

CWE(s): CWE-125 NVD-CWE-noinfo

Affected Products

huawei

harmonyos

6.0.0

CVEs Like This One

CVE-2026-24915Same product: Huawei Harmonyos

CVE-2024-57956Same product: Huawei Harmonyos

CVE-2024-57962Same product: Huawei Harmonyos

CVE-2024-56443Same product: Huawei Harmonyos

CVE-2024-56437Same product: Huawei Harmonyos

CVE-2026-34851Same product: Huawei Harmonyos

CVE-2024-54121Same product: Huawei Harmonyos

CVE-2024-56435Same product: Huawei Harmonyos

CVE-2026-34856Same product: Huawei Harmonyos

CVE-2026-24925Same product: Huawei Harmonyos

References

https://consumer.huawei.com/en/support/bulletin/2026/2/
Vendor Advisory · psirt@huawei.com
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
Vendor Advisory · psirt@huawei.com
https://consumer.huawei.com/en/support/bulletinwearables/2026/2/
Vendor Advisory · psirt@huawei.com