CVE-2026-34865

Critical

Published: 13 April 2026

Published

13 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0003 8.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34865 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Huawei Harmonyos. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-16 Memory Protection good match

prevent

SI-16 implements memory protections such as address space randomization and non-executable memory to directly mitigate exploitation of out-of-bounds write vulnerabilities in the WEB module.

SI-10 Information Input Validation good match

prevent

SI-10 enforces input validation at entry points to the WEB module, preventing crafted network inputs that trigger the out-of-bounds write.

SI-2 Flaw Remediation good match

prevent

SI-2 requires identification, reporting, and correction of flaws like CVE-2026-34865, including applying Huawei's issued patches to remediate the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Out-of-bounds write in WEB module of network-accessible wearable device with no auth/UI required directly enables remote exploitation of public-facing application (T1190); confidentiality and availability impacts align with this vector but no code execution or other techniques are indicated.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

Deeper analysisAI

CVE-2026-34865 is an out-of-bounds write vulnerability (CWE-122) in the WEB module of Huawei wearable devices. Published on 2026-04-13, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating critical severity due to its potential for high-impact remote exploitation.

Attackers require no privileges or user interaction and can exploit the vulnerability over the network with low complexity. Successful exploitation compromises confidentiality by enabling unauthorized data access and disrupts availability through denial-of-service effects, without affecting integrity.

Huawei has issued a security bulletin for wearables at https://consumer.huawei.com/en/support/bulletinwearables/2026/4/, which details mitigation measures and patches for affected devices.

Details

CWE(s): CWE-122

Affected Products

huawei

harmonyos

6.0.0

CVEs Like This One

CVE-2026-24925Same product: Huawei Harmonyos

CVE-2024-56444Same product: Huawei Harmonyos

CVE-2024-56436Same product: Huawei Harmonyos

CVE-2024-57962Same product: Huawei Harmonyos

CVE-2025-68955Same product: Huawei Harmonyos

CVE-2026-24915Same product: Huawei Harmonyos

CVE-2026-28536Same product: Huawei Harmonyos

CVE-2024-56443Same product: Huawei Harmonyos

CVE-2024-56451Same product: Huawei Harmonyos

CVE-2024-12602Same product: Huawei Harmonyos

References

https://consumer.huawei.com/en/support/bulletinwearables/2026/4/
Vendor Advisory · psirt@huawei.com