CVE-2025-20626
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-20626 is a use-after-free vulnerability (CWE-416) affecting OpenHarmony versions v5.0.2 and prior. It enables a local attacker to achieve arbitrary code execution within pre-installed applications on affected systems. The vulnerability stems from improper memory management, allowing freed memory to be accessed and exploited post-deallocation.
A local attacker with low privileges (PR:L) can exploit this issue with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation is confined to restricted scenarios, leading to arbitrary code execution in pre-installed apps. The CVSS v3.1 base score of 3.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) reflects a low overall severity, primarily due to the local attack vector, changed scope (S:C), and limited confidentiality impact (C:L) with no integrity or availability effects.
Mitigation details are outlined in the OpenHarmony security advisory available at https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-03.md, published alongside the CVE on 2025-03-04. Security practitioners should consult this advisory for patch information and recommended remediation steps specific to OpenHarmony deployments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Use-after-free vulnerability enables local arbitrary code execution in pre-installed applications, directly facilitating exploitation for privilege escalation.