CVE-2026-24925
Published: 06 February 2026
Summary
CVE-2026-24925 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Huawei Harmonyos. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-24925 is a heap-based buffer overflow vulnerability in the image module, as documented under CWE-122 and CWE-787. It affects Huawei consumer products, including laptops, based on the vendor's security bulletins. Published on 2026-02-06T09:15:51.023, the vulnerability carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H), indicating a high availability impact with low confidentiality and integrity effects upon successful exploitation.
A local attacker can exploit this vulnerability with no required privileges or user interaction and low attack complexity. Exploitation triggers a heap-based buffer overflow, potentially disrupting system availability through denial of service, while also allowing limited unauthorized access to data or modification.
Huawei has published security advisories detailing the issue at https://consumer.huawei.com/en/support/bulletin/2026/2/ and https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/. Security practitioners should review these bulletins for available patches, updated firmware, or mitigation guidance specific to affected devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5647
Vulnerability details
Heap-based buffer overflow vulnerability in the image module. Impact: Successful exploitation of this vulnerability may affect availability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local heap-based buffer overflow (CWE-122/787) with AV:L/PR:N/UI:N and A:H impact directly enables application/system exploitation resulting in denial of service; limited C/I effects do not clearly map to privilege escalation or credential access given S:U scope.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Memory protection mechanisms (e.g., ASLR, guard pages, safe allocators) directly block exploitation of the heap buffer overflow in the image module.
Requires prompt application of Huawei patches/firmware updates that remediate the vulnerable image module code.
Strict validation and bounds-checking of image input data would stop the malformed data that triggers the CWE-122/CWE-787 overflow.