Cyber Resilience

CVE-2026-28552

Medium

Published: 05 March 2026

Published
05 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0001 1.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28552 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-28552 is an out-of-bounds write vulnerability in the IMS module, associated with CWE-19 (Memory Allocation Error) and CWE-787 (Out-of-bounds Write). It affects Huawei consumer products, including devices covered under general support bulletins as well as specific categories like laptops and wearables. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating network accessibility with high attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and high availability impact.

Remote attackers without privileges can exploit this vulnerability over the network, though it requires high complexity to achieve. Successful exploitation may primarily affect availability, potentially leading to denial-of-service conditions, with a secondary low-impact effect on integrity.

Huawei has published security bulletins addressing this issue, available at consumer support pages for general products (https://consumer.huawei.com/en/support/bulletin/2026/3/), laptops (https://consumer.huawei.com/en/support/bulletinlaptops/2026/3/), and wearables (https://consumer.huawei.com/en/support/bulletinwearables/2026/3/), which likely detail patches or mitigation steps for affected devices.

EU & UK References

Vulnerability details

Out-of-bounds write vulnerability in the IMS module. Impact: Successful exploitation of this vulnerability may affect availability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Out-of-bounds write in network-accessible IMS module enables remote exploitation causing high availability impact via application/system crash, directly mapping to Endpoint DoS via exploitation; low integrity and high complexity limit mapping to RCE or initial access techniques.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-52955Same product: Huawei Emui
CVE-2024-56440Same product: Huawei Emui
CVE-2024-56442Same product: Huawei Emui
CVE-2024-56438Same product: Huawei Emui
CVE-2024-57959Same product: Huawei Emui
CVE-2024-56434Same product: Huawei Emui
CVE-2024-57961Same product: Huawei Emui
CVE-2026-24925Same product: Huawei Harmonyos
CVE-2026-34859Same product: Huawei Emui
CVE-2026-28553Same product: Huawei Emui

Affected Assets

huawei
emui
14.0.0, 14.2.0, 15.0.0
huawei
harmonyos
4.0.0, 4.2.0, 4.3.0, 4.3.1, 5.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Memory Protection directly blocks out-of-bounds writes (CWE-787) that cause the IMS module crash.

prevent

Information Input Validation prevents the malformed network data that triggers the memory allocation error (CWE-19).

prevent

Flaw Remediation requires applying the Huawei patches published in the 2026/3 security bulletins for the affected IMS module.

References