CVE-2021-36991

Vulnerability

CVE-2021-36991 is an unauthorized file access vulnerability in Huawei Smartphones, caused by unstandardized path input handling. The affected software includes EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, and Magic UI 3.1.1 (as referenced in the July 2021 security bulletin) [1]. Successful exploitation requires an attacker to create malicious file paths to bypass intended access controls.

Exploitation

An attacker with local access to the device can exploit the vulnerability by crafting malicious file paths that are not properly sanitized. No authentication or user interaction is required beyond the ability to create files or influence file path inputs on the system. The unstandardized path input allows traversal or access to files outside the intended directory scope [1].

Impact

Successful exploitation leads to unauthorized file access, potentially allowing the attacker to read sensitive files stored on the device. The impact primarily affects confidentiality, as the attacker can access files they are not normally permitted to view. The vulnerability does not directly enable code execution or privilege escalation beyond the file access scope [1].

Mitigation

Huawei released a fix in its July 2021 security update. Users should update their devices to the latest software version that includes the patch for CVE-2021-36991. The update is available through Huawei's official security bulletin [1]. No known workarounds are documented; applying the security update is the recommended mitigation.