OpenHarmony v6.0: Ten CVEs Disclosed in Single Advisory — Two Remote Code Execution Flaws in Pre-Installed Apps
Ten vulnerabilities hit OpenHarmony v6.0 and earlier on May 19, including two high-severity remote code execution bugs in pre-installed apps and a permanent denial-of-service flaw.
Key findings
- Two High-severity RCE bugs (CVE-2026-27648, CVE-2026-24792) in pre-installed apps are remotely exploitable
- CVE-2026-25781 causes a permanent denial-of-service condition that cannot be recovered
- Four Low-severity local DOS CVEs share identical CVSS 3.3 scores and descriptions
- All ten CVEs affect OpenHarmony v6.0 and all prior versions
- No patched version number has been published yet; users should monitor the security bulletin
The OpenHarmony project published a coordinated batch of ten CVEs on May 19, 2026, covering versions up to and including OpenHarmony v6.0. The disclosure spans Low to High severity (CVSSv3 3.3–8.8) and includes two remote code execution (RCE) vulnerabilities in pre-installed applications, a permanent denial-of-service bug, and several information-leak and local-DOS flaws. The breadth of the batch — touching everything from pre-installed app sandboxing to kernel-level crash states — makes it one of the more consequential single-day advisories for the open-source operating system this year.
Remote code execution in pre-installed apps (High severity)
Two of the most critical CVEs in the batch target pre-installed applications that ship with OpenHarmony. CVE-2026-27648 (CVSS 8.8) and CVE-2026-24792 (CVSS 8.1) both allow a remote attacker to achieve arbitrary code execution within the context of pre-installed apps. The lower CVSS score on CVE-2026-24792 reflects slightly different attack complexity, but both share the same attack vector — network-accessible — and the same impact: full compromise of the targeted app's process. Because pre-installed apps often carry elevated privileges or access to sensitive system services, successful exploitation could serve as a beachhead for deeper lateral movement on the device.
Permanent denial of service (High severity)
CVE-2026-25781 (CVSS 8.4) stands out for its unusual impact description: a local attacker can cause a denial-of-service condition that *cannot be recovered*. The advisory does not specify whether recovery requires a factory reset or hardware intervention, but the language implies a persistent crash or boot-loop state that survives a standard reboot. This is the only CVE in the batch with an explicitly permanent effect, and its high CVSS score reflects the severity of a bricked device.
Information leaks (Medium severity)
Two Medium-severity CVEs address information disclosure. CVE-2026-27766 (CVSS 5.5) and CVE-2026-25850 (CVSS 5.5) both allow a local attacker to leak sensitive data from the system. The identical CVSS scores and similar descriptions suggest they may reside in related subsystems — possibly shared memory regions, inter-process communication channels, or debugging interfaces that fail to enforce proper access controls.
Arbitrary code execution via local access (Medium severity)
CVE-2026-28733 (CVSS 6.5) permits a local attacker to achieve arbitrary code execution. While the CVSS score is Medium, local code execution can be a powerful escalation primitive when combined with other bugs — for example, as a follow-on to one of the information-leak CVEs.
Denial-of-service cluster (Low severity)
Four Low-severity CVEs — CVE-2026-33565, CVE-2026-28751, CVE-2026-27781, and CVE-2026-25110 — all share a CVSS score of 3.3 and the same description: a local attacker can cause a denial-of-service condition. CVE-2026-27648 (the High-severity RCE) also has a DOS component in its description, but the primary impact is code execution. The four Low-severity DOS bugs are likely crash-trigger vulnerabilities in system services or drivers that require local access to exploit.
Patch status and response
The OpenHarmony project has not yet published a specific patched version number in the advisory metadata, but the disclosure states that all ten CVEs affect OpenHarmony v6.0 and prior versions. Users and device integrators should monitor the OpenHarmony security bulletin for the exact fix release. In the interim, restricting local access to untrusted users and auditing pre-installed app permissions are prudent mitigations, particularly for the two remote RCE bugs in pre-installed apps.
Why this batch matters
OpenHarmony is deployed across a growing ecosystem of IoT devices, smart displays, and embedded systems where recovery options are often limited. A permanent DOS bug like CVE-2026-25781 is especially concerning for headless or field-deployed devices that lack physical console access. The two remote RCE flaws in pre-installed apps are the most urgent: they require no local foothold and could be chained in attacks that start from a malicious network packet. Device manufacturers and enterprise deployers should prioritize the upcoming patch cycle and review whether pre-installed app attack surfaces are reachable from untrusted networks.