Cyber Resilience

CVE-2026-34865

Critical

Published: 13 April 2026

Published
13 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0021 11.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34865 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Huawei Harmonyos. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-34865 is an out-of-bounds write vulnerability (CWE-122) in the WEB module of Huawei wearable devices. Published on 2026-04-13, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating critical severity due to its potential for high-impact remote exploitation.

Attackers require no privileges or user interaction and can exploit the vulnerability over the network with low complexity. Successful exploitation compromises confidentiality by enabling unauthorized data access and disrupts availability through denial-of-service effects, without affecting integrity.

Huawei has issued a security bulletin for wearables at https://consumer.huawei.com/en/support/bulletinwearables/2026/4/, which details mitigation measures and patches for affected devices.

EU & UK References

Vulnerability details

Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Out-of-bounds write in WEB module of network-accessible wearable device with no auth/UI required directly enables remote exploitation of public-facing application (T1190); confidentiality and availability impacts align with this vector but no code execution or other techniques are indicated.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-56444Same product: Huawei Harmonyos
CVE-2026-24925Same product: Huawei Harmonyos
CVE-2024-56443Same product: Huawei Harmonyos
CVE-2025-68956Same product: Huawei Harmonyos
CVE-2026-34856Same product: Huawei Harmonyos
CVE-2026-24926Same product: Huawei Harmonyos
CVE-2026-24921Same product: Huawei Harmonyos
CVE-2024-56439Same product: Huawei Harmonyos
CVE-2025-68955Same product: Huawei Harmonyos
CVE-2024-56436Same product: Huawei Harmonyos

Affected Assets

huawei
harmonyos
6.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-16 implements memory protections such as address space randomization and non-executable memory to directly mitigate exploitation of out-of-bounds write vulnerabilities in the WEB module.

prevent

SI-10 enforces input validation at entry points to the WEB module, preventing crafted network inputs that trigger the out-of-bounds write.

prevent

SI-2 requires identification, reporting, and correction of flaws like CVE-2026-34865, including applying Huawei's issued patches to remediate the vulnerability.

References