CVE-2026-28552
Published: 05 March 2026
Summary
CVE-2026-28552 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-28552 is an out-of-bounds write vulnerability in the IMS module, associated with CWE-19 (Memory Allocation Error) and CWE-787 (Out-of-bounds Write). It affects Huawei consumer products, including devices covered under general support bulletins as well as specific categories like laptops and wearables. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating network accessibility with high attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and high availability impact.
Remote attackers without privileges can exploit this vulnerability over the network, though it requires high complexity to achieve. Successful exploitation may primarily affect availability, potentially leading to denial-of-service conditions, with a secondary low-impact effect on integrity.
Huawei has published security bulletins addressing this issue, available at consumer support pages for general products (https://consumer.huawei.com/en/support/bulletin/2026/3/), laptops (https://consumer.huawei.com/en/support/bulletinlaptops/2026/3/), and wearables (https://consumer.huawei.com/en/support/bulletinwearables/2026/3/), which likely detail patches or mitigation steps for affected devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9810
Vulnerability details
Out-of-bounds write vulnerability in the IMS module. Impact: Successful exploitation of this vulnerability may affect availability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in network-accessible IMS module enables remote exploitation causing high availability impact via application/system crash, directly mapping to Endpoint DoS via exploitation; low integrity and high complexity limit mapping to RCE or initial access techniques.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Memory Protection directly blocks out-of-bounds writes (CWE-787) that cause the IMS module crash.
Information Input Validation prevents the malformed network data that triggers the memory allocation error (CWE-19).
Flaw Remediation requires applying the Huawei patches published in the 2026/3 security bulletins for the affected IMS module.