Cyber Posture

CVE-2026-28552

Medium

Published: 05 March 2026

Published
05 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0001 0.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28552 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-16 Memory Protection
addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Out-of-bounds write in network-accessible IMS module enables remote exploitation causing high availability impact via application/system crash, directly mapping to Endpoint DoS via exploitation; low integrity and high complexity limit mapping to RCE or initial access techniques.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Out-of-bounds write vulnerability in the IMS module. Impact: Successful exploitation of this vulnerability may affect availability.

Deeper analysisAI

CVE-2026-28552 is an out-of-bounds write vulnerability in the IMS module, associated with CWE-19 (Memory Allocation Error) and CWE-787 (Out-of-bounds Write). It affects Huawei consumer products, including devices covered under general support bulletins as well as specific categories like laptops and wearables. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating network accessibility with high attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and high availability impact.

Remote attackers without privileges can exploit this vulnerability over the network, though it requires high complexity to achieve. Successful exploitation may primarily affect availability, potentially leading to denial-of-service conditions, with a secondary low-impact effect on integrity.

Huawei has published security bulletins addressing this issue, available at consumer support pages for general products (https://consumer.huawei.com/en/support/bulletin/2026/3/), laptops (https://consumer.huawei.com/en/support/bulletinlaptops/2026/3/), and wearables (https://consumer.huawei.com/en/support/bulletinwearables/2026/3/), which likely detail patches or mitigation steps for affected devices.

Details

CWE(s)
CWE-19CWE-787

Affected Products

huawei
emui
14.0.0, 14.2.0, 15.0.0
huawei
harmonyos
4.0.0, 4.2.0, 4.3.0, 4.3.1, 5.1.0

CVEs Like This One

CVE-2024-56438Same product: Huawei Emui
CVE-2024-56442Same product: Huawei Emui
CVE-2024-56434Same product: Huawei Emui
CVE-2024-57959Same product: Huawei Emui
CVE-2024-56440Same product: Huawei Emui
CVE-2024-57961Same product: Huawei Emui
CVE-2026-24925Same product: Huawei Harmonyos
CVE-2024-57962Same product: Huawei Harmonyos
CVE-2026-34853Same product: Huawei Emui
CVE-2026-28542Same product: Huawei Emui

References