Cyber Resilience

CVE-2026-24925

High

Published: 06 February 2026

Published
06 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0001 1.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24925 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Huawei Harmonyos. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24925 is a heap-based buffer overflow vulnerability in the image module, as documented under CWE-122 and CWE-787. It affects Huawei consumer products, including laptops, based on the vendor's security bulletins. Published on 2026-02-06T09:15:51.023, the vulnerability carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H), indicating a high availability impact with low confidentiality and integrity effects upon successful exploitation.

A local attacker can exploit this vulnerability with no required privileges or user interaction and low attack complexity. Exploitation triggers a heap-based buffer overflow, potentially disrupting system availability through denial of service, while also allowing limited unauthorized access to data or modification.

Huawei has published security advisories detailing the issue at https://consumer.huawei.com/en/support/bulletin/2026/2/ and https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/. Security practitioners should review these bulletins for available patches, updated firmware, or mitigation guidance specific to affected devices.

EU & UK References

Vulnerability details

Heap-based buffer overflow vulnerability in the image module. Impact: Successful exploitation of this vulnerability may affect availability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local heap-based buffer overflow (CWE-122/787) with AV:L/PR:N/UI:N and A:H impact directly enables application/system exploitation resulting in denial of service; limited C/I effects do not clearly map to privilege escalation or credential access given S:U scope.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56446Same product: Huawei Harmonyos
CVE-2026-34856Same product: Huawei Harmonyos
CVE-2024-57956Same product: Huawei Harmonyos
CVE-2026-34851Same product: Huawei Harmonyos
CVE-2024-57962Same product: Huawei Harmonyos
CVE-2024-56437Same product: Huawei Harmonyos
CVE-2024-54121Same product: Huawei Harmonyos
CVE-2024-57955Same product: Huawei Harmonyos
CVE-2026-34865Same product: Huawei Harmonyos
CVE-2026-24926Same product: Huawei Harmonyos

Affected Assets

huawei
harmonyos
5.1.0, 6.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Memory protection mechanisms (e.g., ASLR, guard pages, safe allocators) directly block exploitation of the heap buffer overflow in the image module.

prevent

Requires prompt application of Huawei patches/firmware updates that remediate the vulnerable image module code.

prevent

Strict validation and bounds-checking of image input data would stop the malformed data that triggers the CWE-122/CWE-787 overflow.

References