CVE-2025-0304

High

Published: 07 February 2025

Published

07 February 2025

Modified

11 February 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0008 23.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through use after free.

Security Summary

CVE-2025-0304 is a use-after-free vulnerability (CWE-416) present in OpenHarmony versions 4.1.2 and prior. The flaw enables a local attacker to upgrade common permissions to root level and leak sensitive information.

The vulnerability can be exploited by a local attacker who has low privileges (PR:L). Exploitation requires low attack complexity (AC:L) and no user interaction (UI:N), but changes scope (S:C) to achieve high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 8.8.

Mitigation details are available in the OpenHarmony security advisory at https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-02.md. The CVE was published on 2025-02-07.

Details

CWE(s): CWE-416

Affected Products

openatom

openharmony

4.1.0 — 4.1.2

References

https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-02.md
Vendor Advisory · scy@openharmony.io