{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0639", "assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "state": "PUBLISHED", "assignerShortName": "OpenHarmony", "dateReserved": "2026-01-06T06:52:22.079Z", "datePublished": "2026-03-16T07:08:53.480Z", "dateUpdated": "2026-03-16T17:33:21.403Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "shortName": "OpenHarmony", "dateUpdated": "2026-03-16T07:08:53.480Z"}, "title": "liteos_a has a missing release of memory vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-401", "description": "CWE-401 Missing release of memory after effective lifetime", "type": "CWE"}]}], "affected": [{"vendor": "OpenHarmony", "product": "OpenHarmony", "versions": [{"status": "affected", "version": "v5.0.3", "lessThanOrEqual": "v6.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "in OpenHarmony v6.0 and prior versions allow a local attacker case DOS through missing release of memory.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "in OpenHarmony v6.0 and prior versions allow a local attacker case DOS through missing release of memory."}]}], "references": [{"url": "https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-02.md"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseSeverity": "LOW", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T17:29:35.471396Z", "id": "CVE-2026-0639", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T17:33:21.403Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0639", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T17:29:35.471396Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T17:29:49.655Z"}}], "cna": {"title": "liteos_a has a missing release of memory vulnerability", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenHarmony", "product": "OpenHarmony", "versions": [{"status": "affected", "version": "v5.0.3", "versionType": "custom", "lessThanOrEqual": "v6.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-02.md"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "in OpenHarmony v6.0 and prior versions allow a local attacker case DOS through missing release of memory.", "supportingMedia": [{"type": "text/html", "value": "in OpenHarmony v6.0 and prior versions allow a local attacker case DOS through missing release of memory.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401 Missing release of memory after effective lifetime"}]}], "providerMetadata": {"orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "shortName": "OpenHarmony", "dateUpdated": "2026-03-16T07:08:53.480Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0639", "state": "PUBLISHED", "dateUpdated": "2026-03-16T17:33:21.403Z", "dateReserved": "2026-01-06T06:52:22.079Z", "assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "datePublished": "2026-03-16T07:08:53.480Z", "assignerShortName": "OpenHarmony"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:openatom:openharmony:*:*:*:*:-:*:*:*", "matchCriteriaId": "68971496-ED94-430E-9268-D0E1234256F1", "versionEndIncluding": "6.0", "versionStartIncluding": "5.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "in OpenHarmony v6.0 and prior versions allow a local attacker case DOS through missing release of memory."}], "id": "CVE-2026-0639", "lastModified": "2026-03-17T15:40:50.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "scy@openharmony.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-16T14:18:07.000", "references": [{"source": "scy@openharmony.io", "tags": ["Vendor Advisory"], "url": "https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-02.md"}], "sourceIdentifier": "scy@openharmony.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "scy@openharmony.io", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[v5.0.3,v6.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenHarmony", "source": "cna", "vendor": "OpenHarmony"}, "product": "openharmony", "vendor": "openharmony"}], "analysis": {"en": {"generated_at": "2026-03-17T17:15:41.819273+00:00", "value": {"mitigation_remediation": ["Upgrade OpenHarmony to a version newer than 6.0 (e.g., the latest release).", "If an upgrade is not immediately feasible, isolate the affected system from untrusted local users and monitor memory usage for anomalies.", "Verify that the patch has been applied by consulting the vendor\u2019s security advisory or the disclosed reference."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of OpenHarmony version 6.0 and any prior versions, as identified by the vendor identifiers OpenHarmony:OpenHarmony and the CPE string cpe:2.3:o:openatom:openharmony:*:*:*:*:-:*:*:*.", "description_and_impact": "In OpenHarmony v6.0 and earlier, the system fails to release allocated memory under specific conditions, leading to a memory leak. This flaw, catalogued as CWE\u2011401, permits a local attacker to repeatedly trigger the leak, consuming system memory until processes become unresponsive, resulting in a denial of service. The vulnerability does not disclose data or allow code execution; its impact is confined to availability.", "risk_and_exploitability": "The CVSS score is 3.3, indicating low severity, while the EPSS score is below 1%, showing a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is local\u2014an attacker must have local access to initiate the memory\u2011consuming operations. Because the flaw only causes a service interruption, the overall risk to confidentiality and integrity is none."}}}}, "created": "2026-03-17T09:53:10.912700+00:00", "updated": "2026-03-24T10:45:36.385414+00:00", "vendors": ["openharmony", "openharmony$PRODUCT$openharmony"]}