CVE-2026-24925

High

Published: 06 February 2026

Published

06 February 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

EPSS Score 0.0001 0.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24925 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Huawei Harmonyos. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-16 Memory Protection

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Local heap-based buffer overflow (CWE-122/787) with AV:L/PR:N/UI:N and A:H impact directly enables application/system exploitation resulting in denial of service; limited C/I effects do not clearly map to privilege escalation or credential access given S:U scope.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Heap-based buffer overflow vulnerability in the image module. Impact: Successful exploitation of this vulnerability may affect availability.

Deeper analysisAI

CVE-2026-24925 is a heap-based buffer overflow vulnerability in the image module, as documented under CWE-122 and CWE-787. It affects Huawei consumer products, including laptops, based on the vendor's security bulletins. Published on 2026-02-06T09:15:51.023, the vulnerability carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H), indicating a high availability impact with low confidentiality and integrity effects upon successful exploitation.

A local attacker can exploit this vulnerability with no required privileges or user interaction and low attack complexity. Exploitation triggers a heap-based buffer overflow, potentially disrupting system availability through denial of service, while also allowing limited unauthorized access to data or modification.

Huawei has published security advisories detailing the issue at https://consumer.huawei.com/en/support/bulletin/2026/2/ and https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/. Security practitioners should review these bulletins for available patches, updated firmware, or mitigation guidance specific to affected devices.

Details

CWE(s): CWE-122 CWE-787

Affected Products

huawei

harmonyos

5.1.0, 6.0.0

CVEs Like This One

CVE-2024-57962Same product: Huawei Harmonyos

CVE-2024-57956Same product: Huawei Harmonyos

CVE-2024-56437Same product: Huawei Harmonyos

CVE-2026-34851Same product: Huawei Harmonyos

CVE-2024-54121Same product: Huawei Harmonyos

CVE-2026-34856Same product: Huawei Harmonyos

CVE-2024-56446Same product: Huawei Harmonyos

CVE-2026-34865Same product: Huawei Harmonyos

CVE-2024-57955Same product: Huawei Harmonyos

CVE-2026-24926Same product: Huawei Harmonyos

References

https://consumer.huawei.com/en/support/bulletin/2026/2/
Vendor Advisory · psirt@huawei.com
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
Vendor Advisory · psirt@huawei.com