{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34853", "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "state": "PUBLISHED", "assignerShortName": "huawei", "dateReserved": "2026-03-31T01:11:13.700Z", "datePublished": "2026-04-13T03:54:55.483Z", "dateUpdated": "2026-04-13T03:55:21.857Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei", "dateUpdated": "2026-04-13T03:55:21.857Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-270", "description": "CWE-270 Privilege context switching error", "type": "CWE"}]}], "affected": [{"vendor": "Huawei", "product": "HarmonyOS", "versions": [{"status": "affected", "version": "4.3.1"}, {"status": "affected", "version": "4.3.0"}, {"status": "affected", "version": "4.2.0"}, {"status": "affected", "version": "4.0.0"}], "defaultStatus": "unaffected"}, {"vendor": "Huawei", "product": "EMUI", "versions": [{"status": "affected", "version": "15.0.0"}, {"status": "affected", "version": "14.2.0"}, {"status": "affected", "version": "14.0.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Permission bypass vulnerability in the LBS module.\nImpact: Successful exploitation of this vulnerability may affect availability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Permission bypass vulnerability in the LBS module.<br>Impact: Successful exploitation of this vulnerability may affect availability."}]}], "references": [{"url": "https://consumer.huawei.com/en/support/bulletin/2026/4/"}, {"url": "https://consumer.huawei.com/en/support/bulletinvision/2026/4/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Permission bypass vulnerability in the LBS module.\nImpact: Successful exploitation of this vulnerability may affect availability."}], "id": "CVE-2026-34853", "lastModified": "2026-04-13T04:16:12.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.1, "impactScore": 6.0, "source": "psirt@huawei.com", "type": "Secondary"}]}, "published": "2026-04-13T04:16:12.217", "references": [{"source": "psirt@huawei.com", "url": "https://consumer.huawei.com/en/support/bulletin/2026/4/"}, {"source": "psirt@huawei.com", "url": "https://consumer.huawei.com/en/support/bulletinvision/2026/4/"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-270"}], "source": "psirt@huawei.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "15.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "14.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "14.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "EMUI", "source": "cna", "vendor": "Huawei"}, "product": "emui", "vendor": "huawei"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.3.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "HarmonyOS", "source": "cna", "vendor": "Huawei"}, "product": "harmonyos", "vendor": "huawei"}], "analysis": {"en": {"generated_at": "2026-04-13T05:20:31.697952+00:00", "value": {"mitigation_remediation": ["Check Huawei consumer support bulletins for an official patch or update and apply it to affected EMUI and HarmonyOS devices", "If a patch is not yet available, disable or restrict the use of Location-Based Services on the device", "Apply the patch as soon as it becomes available to eliminate the permission bypass", "Continuously monitor Huawei security advisories for updates on this vulnerability"], "summary": {"action": "Apply Patch", "impact": "Availability disruption through LBS permission bypass"}, "threat_synthesis": {"affected_systems": "The flaw impacts Huawei EMUI firmware and HarmonyOS operating systems. Specific version information is not listed; therefore, all current releases may be affected until a vendor patch is released.", "description_and_impact": "A permission bypass flaw exists in the Location-Based Services (LBS) module of Huawei products. The vulnerability enables an attacker to gain access to privileged functions or data that should be restricted. As a result, the attacker can potentially affect system availability by continuing to consume resources or triggering service disruptions. The weakness is classified as CWE\u2011270, indicating improper authorization control.", "risk_and_exploitability": "The CVSS score of 7.7 places this vulnerability in the high\u2011severity range. EPSS data is unavailable, and the flaw is not yet reported in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is inferred to be local or remote if an attacker can trigger the LBS component, such as through a crafted request or malicious application. Given the high impact on availability and the absence of existing public exploits, organizations should treat this as a high\u2011risk issue."}}}}, "created": "2026-04-13T12:37:38.360500+00:00", "updated": "2026-04-13T12:53:25.859131+00:00", "vendors": ["huawei", "huawei$PRODUCT$emui", "huawei$PRODUCT$harmonyos"]}