OpenHarmony
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in OpenHarmony.
By the Year
In 2026 there have been 17 vulnerabilities in OpenHarmony with an average score of 5.4 out of ten. Last year, in 2025 Openharmony had 18 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Openharmony in 2026 could surpass last years number. Last year, the average CVE base score was greater by 1.35
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 17 | 5.38 |
| 2025 | 18 | 6.73 |
| 2024 | 38 | 6.73 |
| 2023 | 17 | 6.66 |
| 2022 | 16 | 6.29 |
It may take a day or so for new Openharmony vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent OpenHarmony Security Vulnerabilities
OpenHarmony v6.0 and older: local DOS via unknown component
CVE-2026-33565
3.3 - Low
- May 19, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS.
Signal Handler Race Condition
Local attacker A/C via OpenHarmony v6.0 & earlier
CVE-2026-28733
6.5 - Medium
- May 19, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker arbitrary code execution.
Dangling pointer
OpenHarmony <=6.0 Local Info Leak CVE-2026-27766
CVE-2026-27766
5.5 - Medium
- May 19, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak.
Signal Handler Race Condition
OpenHarmony v6.0- prior: Local Info Leak (CVE-2026-25850)
CVE-2026-25850
5.5 - Medium
- May 19, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak
Improper Preservation of Permissions
OpenHarmony v6.0 & prior local attacker DOS (unrecoverable)
CVE-2026-25781
8.4 - High
- May 19, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS and it cannot be recovered.
Memory Corruption
OpenHarmony v6.0 Local DOS via Unauthenticated Resource Exhaustion
CVE-2026-28751
3.3 - Low
- May 19, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS.
Improper Input Validation
OpenHarmony v6.0 Local DOS via Local Attack
CVE-2026-27781
3.3 - Low
- May 19, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS.
Integer Overflow or Wraparound
OpenHarmony v6.0 and prior RCE via pre-installed app vulnerability
CVE-2026-27648
8.8 - High
- May 19, 2026
in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps.
Memory Corruption
Local DoS in OpenHarmony v6.0 and prior
CVE-2026-25110
3.3 - Low
- May 19, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS.
NULL Pointer Dereference
OpenHarmony <6.0 RCE in pre-installed apps
CVE-2026-24792
8.1 - High
- May 19, 2026
in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps.
Signal Handler Race Condition
OpenHarmony v5.1.0/earlier Local DOS via Improper Input
CVE-2025-6969
5 - Medium
- March 16, 2026
in OpenHarmony v5.1.0 and prior versions allow a local attacker cause DOS through improper input.
Improper Input Validation
OpenHarmony v5.0.3 Local Attacker: Information Exposure via Improper Input
CVE-2025-26474
3.3 - Low
- March 16, 2026
in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information improper input. This vulnerability can be exploited only in restricted scenarios.
Improper Input Validation
OpenHarmony5.1.0: Local OOB write allows code exec in pre-installed apps
CVE-2025-52458
5.5 - Medium
- March 16, 2026
in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios.
Memory Corruption
OpenHarmony <=5.1.0: OOB write enables local code exec in installed apps
CVE-2025-41432
5.5 - Medium
- March 16, 2026
in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios.
Memory Corruption
OpenHarmony v5.x Local ATE via Incompatible Type in Preinstalled Apps
CVE-2025-25277
6.3 - Medium
- March 16, 2026
in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through using incompatible type. This vulnerability can be exploited only in restricted scenarios.
Object Type Confusion
OpenHarmony 5.0.3: Local info leak via uninitialized resource
CVE-2025-12736
6.5 - Medium
- March 16, 2026
in OpenHarmony v5.0.3 and prior versions allow a local attacker case sensitive information leak through use of uninitialized resource.
Use of Uninitialized Resource
OpenHarmony <6.0 Local DOS via Missing Memory Release
CVE-2026-0639
3.3 - Low
- March 16, 2026
in OpenHarmony v6.0 and prior versions allow a local attacker case DOS through missing release of memory.
Memory Leak
OpenHarmony <5.0.3 Local DOS via Improper Input
CVE-2025-25212
5.5 - Medium
- August 11, 2025
in OpenHarmony v5.0.3 and prior versions allow a local attacker case DOS through improper input.
Improper Input Validation
CVE-2025-25278: OpenHarmony v5.0.3 Local RCE via tcb race condition
CVE-2025-25278
7 - High
- August 11, 2025
in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in tcb through race condition.
Race Condition
OpenHarmony <=5.0.3 Local AUE via tcb
CVE-2025-27128
7.8 - High
- August 11, 2025
in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in tcb through use after free.
Dangling pointer
OpenHarmony v5.0.3 and earlier: Local Info Leak via GetPermission
CVE-2025-27247
- June 08, 2025
in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.
Improper Preservation of Permissions
OpenHarmony v5.0.3 Local OOB Write Allows Arbitrary Code Execution
CVE-2025-27132
7.8 - High
- May 06, 2025
in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios.
Memory Corruption
OpenHarmony Denial-of-Service via NULL Pointer Dereference v5.0.3
CVE-2025-27248
5.5 - Medium
- May 06, 2025
in OpenHarmony v5.0.3 and prior versions allow a local attacker case DOS through NULL pointer dereference.
NULL Pointer Dereference
OpenHarmony v5.0.2 Local DOS via OOB Write
CVE-2025-24304
- April 07, 2025
in OpenHarmony v5.0.2 and prior versions allow a local attacker cause DOS through out-of-bounds write.
Memory Corruption
OpenHarmony v5.0.2- prior local DOS via missing memory release
CVE-2025-20011
5.5 - Medium
- March 04, 2025
in OpenHarmony v5.0.2 and prior versions allow a local attacker case DOS through missing release of memory.
Memory Leak
Local OOB Read Info Leak in OpenHarmony 5.0.2 and earlier
CVE-2025-20042
5.5 - Medium
- March 04, 2025
in OpenHarmony v5.0.2 and prior versions allow a local attacker cause information leak through out-of-bounds read.
Out-of-bounds Read
OpenHarmony v5.0.2 and earlier: UAF for local code exec in pre-installed apps
CVE-2025-20081
5.3 - Medium
- March 04, 2025
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.
Dangling pointer
OpenHarmony v5.0.2-: Local UAF in Pre-Installed Apps => Code Exec
CVE-2025-20626
7.8 - High
- March 04, 2025
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.
Dangling pointer
OpenHarmony v5.0.2 & earlier NULL ptr Deref in pre-installed apps allows Lcl AOE
CVE-2025-21084
7.8 - High
- March 04, 2025
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through through NULL pointer dereference.. This vulnerability can be exploited only in restricted scenarios.
NULL Pointer Dereference
Denial of Service via OOB Read in OpenHarmony v5.0.2 and earlier
CVE-2025-22443
5.5 - Medium
- March 04, 2025
in OpenHarmony v5.0.2 and prior versions allow a local attacker cause DOS through out-of-bounds read.
Out-of-bounds Read
OpenHarmony 5.0.2 CVE-2025-22835: Local OOB Write for Arbitrary Code Exec
CVE-2025-22835
7.8 - High
- March 04, 2025
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios.
Memory Corruption
OpenHarmony Local DoS via OOB Read before v5.0.2
CVE-2025-22841
5.5 - Medium
- March 04, 2025
in OpenHarmony v5.0.2 and prior versions allow a local attacker cause DOS through out-of-bounds read.
Out-of-bounds Read
Arbitrary Code Exec via ALE in OpenHarmony <5.0.2
CVE-2025-23409
7.8 - High
- March 04, 2025
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.
Dangling pointer
Local A/C Execution via OOB write in OpenHarmony <=5.0.2
CVE-2025-24309
7.8 - High
- March 04, 2025
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios.
Memory Corruption
OpenHarmony 4.1.2 Local Priv Escalation & Info Leak via Buffer Overflow
CVE-2025-0303
7.8 - High
- February 07, 2025
in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through buffer overflow.
Classic Buffer Overflow
OpenHarmony: Local Information Leak via Out-of-Bounds Read Vulnerability
CVE-2024-9978
5.5 - Medium
- December 03, 2024
in OpenHarmony v4.1.1 and prior versions allow a local attacker cause information leak through out-of-bounds Read.
Out-of-bounds Read
OpenHarmony Use After Free Local Privilege Escalation Vulnerability
CVE-2024-10074
7.8 - High
- December 03, 2024
in OpenHarmony v4.1.1 and prior versions allow a local attacker cause the common permission is upgraded to root through use after free.
Dangling pointer
OpenHarmony: Local Information Leak via Out-of-Bounds Read Vulnerability
CVE-2024-12082
5.5 - Medium
- December 03, 2024
in OpenHarmony v4.0.0 and prior versions allow a local attacker cause information leak through out-of-bounds Read.
Out-of-bounds Read
OpenHarmony v4.1.0 OOB Write Privilege Escalation
CVE-2024-47137
7.8 - High
- November 05, 2024
in OpenHarmony v4.1.0 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through out-of-bounds write.
Memory Corruption
OpenHarmony v4.0.0 OOB Read Local DoS
CVE-2024-47402
5.5 - Medium
- November 05, 2024
in OpenHarmony v4.0.0 and prior versions allow a local attacker cause DOS through out-of-bounds read.
Out-of-bounds Read
OpenHarmony v4.1 Double Free Root Escalation
CVE-2024-47404
7.8 - High
- November 05, 2024
in OpenHarmony v4.1.0 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through double free.
Double-free
OpenHarmony v4.1.0 OOB Write Root Privilege Escalation
CVE-2024-47797
7.8 - High
- November 05, 2024
in OpenHarmony v4.1.0 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through out-of-bounds write.
Memory Corruption
OpenHarmony v4.1.0 and Earlier: OOB Read Info Leak (CVE-2024-39806)
CVE-2024-39806
5.5 - Medium
- October 08, 2024
in OpenHarmony v4.1.0 and prior versions allow a local attacker cause information leak through out-of-bounds Read.
Out-of-bounds Read
OpenHarmony <=4.1.0: Local PAL Escalation & Info Leak via UAF
CVE-2024-41160
7.8 - High
- September 02, 2024
in OpenHarmony v4.1.0 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through use after free.
Dangling pointer
OpenHarmony 4.1.0 Local Integer Overflow Crash
CVE-2024-28044
5.5 - Medium
- September 02, 2024
in OpenHarmony v4.1.0 and prior versions allow a local attacker cause crash through integer overflow.
Integer Overflow or Wraparound
OpenHarmony <=4.0.0 Local Info Leak via OOB Read
CVE-2024-38382
5.5 - Medium
- September 02, 2024
in OpenHarmony v4.0.0 and prior versions allow a local attacker cause information leak through out-of-bounds Read.
Out-of-bounds Read
OpenHarmony v4.1.0 & earlier: OOB write enables local ACEX in pre-installed apps
CVE-2024-38386
7.8 - High
- September 02, 2024
in OpenHarmony v4.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write.
Memory Corruption
OpenHarmony <=4.0.0 OOB Write Remote Code Execution (CVE-2024-37185)
CVE-2024-37185
9.8 - Critical
- July 02, 2024
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds write.
Memory Corruption
OpenHarmony v4.0.0 Local Attacker Crash via Type Confusion
CVE-2024-31071
3.3 - Low
- July 02, 2024
in OpenHarmony v4.0.0 and prior versions allow a local attacker cause apps crash through type confusion.
Object Type Confusion
OpenHarmony v<=4.0 pre-installed apps OOB RCE
CVE-2024-36243
9.8 - Critical
- July 02, 2024
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds read and write.
Out-of-bounds Read
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for OpenHarmony or by OpenHarmony? Click the Watch button to subscribe.
