CVE-2019-5264

Vulnerability

An information disclosure vulnerability exists in the applock feature of certain Huawei smartphones, including Mate 10, Mate 10 Pro, Honor V10, Changxiang 7S, P-smart, Changxiang 8 Plus, Y9 2018, Honor 9 Lite, Honor 9i, and Mate 9. Affected versions include ALP-AL00B 8.0.0.153(C00), ALP-L09 8.0.0.109(C69CUSTC69D1), 8.0.0.134(C40), 8.0.0.136(C212), and others listed in the advisory [1]. The software does not properly handle certain information of applications locked by applock in a rare condition [1].

Exploitation

An attacker with local access to the device must reproduce a specific rare condition where the applock state is mishandled. The exact sequence is not detailed in the references, but the condition likely involves a race window or specific UI interaction that causes the lock mechanism to fail, allowing the attacker to view protected app content [1].

Impact

Successful exploitation leads to information disclosure, meaning the attacker can read data from applications that the user intended to keep private via applock [1]. The attacker does not gain elevated privileges or persistent access beyond this momentary bypass.

Mitigation

Huawei has released software updates to fix this vulnerability. Resolved versions include 9.0.0.167(C00E85R2P20T8) for ALP-AL00B, 9.0.0.163(C69E4R1P9) for ALP-L09, 9.0.0.191(C40E5R1P9T8) for the 8.0.0.134(C40) variant, and 9.0.0.159(C212E3R1P9T8) for the 8.0.0.136(C212) variant [1]. Users should update to the latest EMUI version. No workaround is available if the patch cannot be applied.

References

[1] Huawei Security Advisory: huawei-sa-20191211-01-smartphone