Huawei: Ten Vulnerabilities Disclosed Together on June 9, 2026
Huawei addressed ten vulnerabilities on June 9, 2026, impacting various modules including package management, IPC, and audio frameworks, with severities ranging from Low to Medium.
Key findings
- Ten Huawei vulnerabilities disclosed together on June 9, 2026, within a 3-hour window.
- Vulnerabilities affect diverse modules including package management, IPC, and file system.
- Impacts range from service availability and integrity to confidentiality.
- Medium severity flaws include use-after-free, race conditions, and permission control issues.
- Low severity vulnerabilities involve logic bypass and permission control in notifications.
On June 9, 2026, a cluster of ten vulnerabilities affecting Huawei products was disclosed, with all advisories published within a three-hour window. These vulnerabilities span multiple components, including package management, inter-process communication (IPC), audio frameworks, and file system operations, with reported impacts on service availability, integrity, and confidentiality. The disclosures highlight potential weaknesses across different layers of Huawei's software stack.
The vulnerabilities include several related to the package management module, specifically two use-after-free (UAF) flaws, CVE-2026-41985 and CVE-2026-41984, both rated Medium severity. These issues could compromise service integrity if exploited. Additionally, the IPC module is affected by CVE-2026-41981, an out-of-bounds write vulnerability, and CVE-2026-41982, a race condition vulnerability, both also rated Medium and potentially impacting service availability.
Further impacting availability is CVE-2026-41986, a low-severity logic bypass vulnerability in the file system. The audio framework is subject to CVE-2026-41976, a Medium severity permission control vulnerability that could affect service confidentiality. Another permission control vulnerability, CVE-2026-41980, affecting the file preview module, also poses a risk to confidentiality.
Service availability is also a concern with CVE-2026-41974, a low-severity permission control vulnerability in service notifications, and CVE-2026-41972, a Medium severity path traversal vulnerability in the SMS app. Finally, CVE-2026-41975, a Medium severity permission management vulnerability in the network management module, could affect service integrity.
While the specific affected product versions and patch details were not detailed in the initial disclosures, the coordinated release suggests a comprehensive update or advisory from Huawei addressing these issues. Users are advised to consult Huawei's official security advisories for the most accurate information regarding affected products and recommended actions. The range of vulnerabilities, from logic bypasses to memory corruption flaws, underscores the importance of timely patching and security diligence for Huawei product users.