Cyber Resilience

CVE-2026-24921

Medium

Published: 06 February 2026

Published
06 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 4.8 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:H
EPSS Score 0.0001 1.2th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24921 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Huawei Harmonyos. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24921 is an address read vulnerability in the HDC module, corresponding to CWE-125 (Out-of-bounds Read). It affects Huawei consumer products, including laptops and wearables, as indicated by the vendor's security bulletins. The vulnerability was published on 2026-02-06T09:15:50.583 and carries a CVSS v3.1 base score of 4.8 (AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:H), reflecting medium severity with impacts on confidentiality and availability.

Exploitation requires local access to the affected system, low attack complexity, high privileges (PR:H), and user interaction (UI:R), with no scope change. A successful attack can result in low-impact disclosure of confidential information alongside high-impact disruption to availability, such as denial of service.

Huawei has published security bulletins addressing this vulnerability, available at https://consumer.huawei.com/en/support/bulletin/2026/2/, https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/, and https://consumer.huawei.com/en/support/bulletinwearables/2026/2/, which likely detail patches or mitigations for affected consumer products, laptops, and wearables.

EU & UK References

Vulnerability details

Address read vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB read enables local memory disclosure (T1005 Data from Local System) and application/system crash for DoS (T1499.004 Application or System Exploitation); PR:H and UI:R limit direct applicability to escalation or remote techniques.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24915Same product: Huawei Harmonyos
CVE-2024-57956Same product: Huawei Harmonyos
CVE-2026-34851Same product: Huawei Harmonyos
CVE-2024-56443Same product: Huawei Harmonyos
CVE-2024-56446Same product: Huawei Harmonyos
CVE-2026-34856Same product: Huawei Harmonyos
CVE-2026-24925Same product: Huawei Harmonyos
CVE-2024-57962Same product: Huawei Harmonyos
CVE-2024-56437Same product: Huawei Harmonyos
CVE-2024-12602Same product: Huawei Harmonyos

Affected Assets

huawei
harmonyos
6.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying vendor patches from Huawei bulletins to eliminate the out-of-bounds read flaw in the HDC module.

prevent

Enforces memory protection mechanisms that block unauthorized out-of-bounds reads, directly mitigating CWE-125 exploitation.

prevent

Process isolation limits the blast radius of a successful address read, protecting confidentiality and availability of other system components.

References