Cyber Posture

CVE-2026-24930

High

Published: 06 February 2026

Published
06 February 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24930 is a high-severity Race Condition (CWE-362) vulnerability in Huawei Harmonyos. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-16 Memory Protection good match
prevent

SI-16 implements memory protections that directly mitigate Use-After-Free vulnerabilities by restricting unauthorized access, modification, or execution of freed memory in the graphics module.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely identification, reporting, and patching of flaws like CVE-2026-24930, as detailed in Huawei's security bulletins, preventing exploitation.

RA-5 Vulnerability Monitoring and Scanning good match
detect

RA-5 requires vulnerability scanning and monitoring to detect CVE-2026-24930 in the graphics module, enabling prompt remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local UAF vulnerability in graphics module allows unprivileged attacker (PR:N, UI:N) to achieve arbitrary code execution with high C/I/A impact, directly enabling T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

UAF concurrency vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability.

Deeper analysisAI

CVE-2026-24930 is a Use-After-Free (UAF) concurrency vulnerability, associated with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-416 (Use After Free), affecting the graphics module in Huawei consumer products. Published on 2026-02-06, it carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity with potential impacts across confidentiality, integrity, and availability.

A local attacker can exploit this vulnerability with low complexity, requiring no privileges or user interaction. Successful exploitation may allow the attacker to achieve high-impact effects, including unauthorized access to sensitive data, modification of system integrity, and disruption of availability, such as through arbitrary code execution or system crashes in the graphics subsystem.

Huawei has issued security bulletins addressing this issue, available at https://consumer.huawei.com/en/support/bulletin/2026/2/ and https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/, which detail recommended patches and mitigation steps for affected consumer devices and laptops.

Details

CWE(s)
CWE-362CWE-416

Affected Products

huawei
harmonyos
5.1.0, 6.0.0

CVEs Like This One

CVE-2025-68958Same product: Huawei Harmonyos
CVE-2025-68957Same product: Huawei Harmonyos
CVE-2025-68960Same product: Huawei Harmonyos
CVE-2025-68956Same product: Huawei Harmonyos
CVE-2024-56451Same product: Huawei Harmonyos
CVE-2024-56439Same product: Huawei Harmonyos
CVE-2025-68968Same product: Huawei Harmonyos
CVE-2026-24926Same product: Huawei Harmonyos
CVE-2025-68955Same product: Huawei Harmonyos
CVE-2026-34859Same product: Huawei Harmonyos

References