{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24916", "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "state": "PUBLISHED", "assignerShortName": "huawei", "dateReserved": "2026-01-28T06:05:05.256Z", "datePublished": "2026-02-06T08:48:22.425Z", "dateUpdated": "2026-02-06T16:29:10.620Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "HarmonyOS", "vendor": "Huawei", "versions": [{"status": "affected", "version": "6.0.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Identity authentication bypass vulnerability in the window module.<br>Impact: Successful exploitation of this vulnerability may affect service confidentiality."}], "value": "Identity authentication bypass vulnerability in the window module.\nImpact: Successful exploitation of this vulnerability may affect service confidentiality."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei", "dateUpdated": "2026-02-06T08:48:22.425Z"}, "references": [{"url": "https://consumer.huawei.com/en/support/bulletin/2026/2/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T16:27:53.495087Z", "id": "CVE-2026-24916", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T16:29:10.620Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24916", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-06T16:27:53.495087Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T16:28:11.382Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Huawei", "product": "HarmonyOS", "versions": [{"status": "affected", "version": "6.0.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://consumer.huawei.com/en/support/bulletin/2026/2/"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Identity authentication bypass vulnerability in the window module.\nImpact: Successful exploitation of this vulnerability may affect service confidentiality.", "supportingMedia": [{"type": "text/html", "value": "Identity authentication bypass vulnerability in the window module.<br>Impact: Successful exploitation of this vulnerability may affect service confidentiality.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei", "dateUpdated": "2026-02-06T08:48:22.425Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24916", "state": "PUBLISHED", "dateUpdated": "2026-02-06T16:29:10.620Z", "dateReserved": "2026-01-28T06:05:05.256Z", "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "datePublished": "2026-02-06T08:48:22.425Z", "assignerShortName": "huawei"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:harmonyos:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "0EBE30DD-E146-4A6A-BE68-DEF9D4D0B2A8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Identity authentication bypass vulnerability in the window module.\nImpact: Successful exploitation of this vulnerability may affect service confidentiality."}], "id": "CVE-2026-24916", "lastModified": "2026-02-10T17:53:42.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.2, "source": "psirt@huawei.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-06T09:15:49.803", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "https://consumer.huawei.com/en/support/bulletin/2026/2/"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "psirt@huawei.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:48:03.503956+00:00", "value": {"mitigation_remediation": ["Apply the official Huawei security patch for HarmonyOS 6.0.0 once released.", "Restrict or disable the window module\u2019s exposure to untrusted inputs through device configuration or security policies.", "Continuously monitor device logs for suspicious authentication attempts or unauthorized access patterns."], "summary": {"action": "Assess Impact", "impact": "Identity Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is Huawei HarmonyOS, specifically version 6.0.0. The CPE indicates that the flaw applies to the HarmonyOS operating system at that release.", "description_and_impact": "The vulnerability is an identity authentication bypass in the HarmonyOS window module. Successful exploitation may allow a malicious actor to bypass authentication controls and potentially compromise the confidentiality of the service. This flaw is identified as a leakage of information (CWE\u2011200).", "risk_and_exploitability": "The CVSS score of 5.9 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog. The attack vector is not explicitly described in the CVE, but the nature of the flaw\u2014as an identity authentication bypass within the window module\u2014implies that an attacker may need local access or user interaction on the device to exploit it. The primary impact is on service confidentiality."}}}}, "created": "2026-02-09T10:52:34.206560+00:00", "title": "Identity Authentication Bypass in HarmonyOS Window Module", "updated": "2026-04-17T23:00:12.618818+00:00", "vendors": ["huawei", "huawei$PRODUCT$harmonyos"]}