CVE-2026-34851

Low

Published: 13 April 2026

Published

13 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 2.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

EPSS Score 0.0000 0.1th percentile

Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34851 is a low-severity Race Condition (CWE-362) vulnerability in Huawei Harmonyos. Its CVSS base score is 2.2 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through application of Huawei patches directly corrects the race condition vulnerability in the event notification module.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning identifies systems affected by CVE-2026-34851, enabling targeted patching despite its high attack complexity.

SC-5 Denial-of-service Protection partial match

prevent

Denial-of-service protections limit the availability impact from local exploitation of the race condition in the event notification module.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Race condition vulnerability directly enables exploitation to cause limited denial of service via application/system crash, matching T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Race condition vulnerability in the event notification module. Impact: Successful exploitation of this vulnerability may affect availability.

Deeper analysisAI

CVE-2026-34851 is a race condition vulnerability (CWE-362) in the event notification module of Huawei consumer products. Published on 2026-04-13, it carries a CVSS v3.1 base score of 2.2 (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L), reflecting low severity primarily due to its potential to affect availability.

Exploitation requires local access (AV:L), low privileges (PR:L), high attack complexity (AC:H), and user interaction (UI:R). A successful attack can result in a limited denial of service, impacting availability without affecting confidentiality or integrity.

Huawei has issued security bulletins addressing this vulnerability, available at https://consumer.huawei.com/en/support/bulletin/2026/4/ and https://consumer.huawei.com/en/support/bulletinlaptops/2026/4/, which provide details on affected products and recommended mitigations or patches.

Details

CWE(s): CWE-362

Affected Products

huawei

harmonyos

5.1.0, 6.0.0

CVEs Like This One

CVE-2026-34856Same product: Huawei Harmonyos

CVE-2024-56437Same product: Huawei Harmonyos

CVE-2024-57962Same product: Huawei Harmonyos

CVE-2025-68955Same product: Huawei Harmonyos

CVE-2025-68957Same product: Huawei Harmonyos

CVE-2025-68960Same product: Huawei Harmonyos

CVE-2025-68958Same product: Huawei Harmonyos

CVE-2026-24925Same product: Huawei Harmonyos

CVE-2025-68956Same product: Huawei Harmonyos

CVE-2024-56446Same product: Huawei Harmonyos

References

https://consumer.huawei.com/en/support/bulletin/2026/4/
Vendor Advisory · psirt@huawei.com
https://consumer.huawei.com/en/support/bulletinlaptops/2026/4/
Vendor Advisory · psirt@huawei.com