CVE-2026-24921
Published: 06 February 2026
Summary
CVE-2026-24921 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Huawei Harmonyos. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-24921 is an address read vulnerability in the HDC module, corresponding to CWE-125 (Out-of-bounds Read). It affects Huawei consumer products, including laptops and wearables, as indicated by the vendor's security bulletins. The vulnerability was published on 2026-02-06T09:15:50.583 and carries a CVSS v3.1 base score of 4.8 (AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:H), reflecting medium severity with impacts on confidentiality and availability.
Exploitation requires local access to the affected system, low attack complexity, high privileges (PR:H), and user interaction (UI:R), with no scope change. A successful attack can result in low-impact disclosure of confidential information alongside high-impact disruption to availability, such as denial of service.
Huawei has published security bulletins addressing this vulnerability, available at https://consumer.huawei.com/en/support/bulletin/2026/2/, https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/, and https://consumer.huawei.com/en/support/bulletinwearables/2026/2/, which likely detail patches or mitigations for affected consumer products, laptops, and wearables.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5658
Vulnerability details
Address read vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read enables local memory disclosure (T1005 Data from Local System) and application/system crash for DoS (T1499.004 Application or System Exploitation); PR:H and UI:R limit direct applicability to escalation or remote techniques.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying vendor patches from Huawei bulletins to eliminate the out-of-bounds read flaw in the HDC module.
Enforces memory protection mechanisms that block unauthorized out-of-bounds reads, directly mitigating CWE-125 exploitation.
Process isolation limits the blast radius of a successful address read, protecting confidentiality and availability of other system components.