Introduction
An out of bounds write in OpenHarmony's web_webview component allows remote attackers to execute arbitrary code inside pre installed applications, requiring only low privileges and no user interaction. With a CVSS 3.1 score of 8.8 and an ecosystem spanning over one billion devices, this vulnerability has meaningful implications for the IoT and embedded device landscape.
OpenHarmony is a family of open source distributed operating systems originally sharing principles from the Huawei LiteOS lineage. Huawei donated the core source code to the OpenAtom Foundation, the first foundation for open source software in China, and the platform now collaborates with more than five hundred hardware partners across smartphones, tablets, smart TVs, and industrial infrastructure. Its scale and diversity of deployment targets make any remotely exploitable vulnerability in a core component a significant concern for the broader embedded systems ecosystem.
Technical Information
Root Cause: Out of Bounds Write (CWE 787)
The vulnerability resides in the web_webview component of OpenHarmony. The root cause is an out of bounds write condition, formally classified as CWE 787, where the software writes data past the end or before the beginning of the intended buffer. The specific code defect is linked to a flowbuffer security issue within the chromium_src repository, as tracked in issue 5602.
CVSS Vector Breakdown
The full CVSS 3.1 vector string is:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Breaking this down:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the network |
| Attack Complexity (AC) | Low | No special conditions or race conditions required |
| Privileges Required (PR) | Low | Attacker needs minimal authentication |
| User Interaction (UI) | None | No victim action needed |
| Scope (S) | Unchanged | Impact stays within the vulnerable component's authority |
| Confidentiality (C) | High | Full read access to data within the app context |
| Integrity (I) | High | Full modification capability |
| Availability (A) | High | Complete denial of service possible |
Attack Flow
Based on the available information, the exploitation path follows this sequence:
- The attacker identifies a target device running OpenHarmony v5.0.3 through v6.0 with a pre installed application that utilizes the
web_webviewcomponent. - The attacker sends specially crafted data over the network to the vulnerable application. This data is designed to trigger the flowbuffer flaw in the underlying
chromium_srccode. - The crafted input causes an out of bounds write condition in the webview's buffer handling logic, corrupting adjacent memory.
- By controlling the data written beyond the buffer boundary, the attacker achieves arbitrary code execution within the context of the pre installed application.
The combination of network accessibility, low complexity, and no user interaction requirement makes this vulnerability particularly concerning. An attacker does not need to trick a user into visiting a malicious page or clicking a link; the low privilege requirement and absence of user interaction suggest the attack can be carried out against a listening service or background component.
Flowbuffer Defect in chromium_src
The underlying defect is specifically described as a "flowbuffer security issue" in the chromium_src repository. The OpenHarmony project maintains its own fork of Chromium source code for the webview component, and this fork contained the vulnerable buffer handling logic. Fixes were submitted as pull requests across three release branches: PR 7093 (v6.0), PR 7110 (v5.1.0), and PR 7108 (v5.0.3).
Affected Systems and Versions
The following OpenHarmony versions and components are confirmed affected:
| OpenHarmony Version | Component | Status | Fix Reference |
|---|---|---|---|
| v6.0 Release | web_webview | Affected | PR 7093 |
| v5.1.0 Release | web_webview | Affected | PR 7110 |
| v5.0.3 Release | web_webview | Affected | PR 7108 |
Any device running OpenHarmony v5.0.3 through v6.0 that includes pre installed applications leveraging the web_webview component is vulnerable. Given that OpenHarmony operates on over one billion devices across smartphones, tablets, smart TVs, and industrial infrastructure, the affected surface area is substantial.
Vendor Security History
The OpenHarmony project, governed by the OpenAtom Foundation, acts as its own CVE Numbering Authority. In this case, the vendor demonstrated a proactive security posture by publishing branch specific fixes promptly and disclosing the vulnerability through its official security disclosure channel. The coordinated disclosure and multi branch patching approach suggest a mature vulnerability response process, though the challenge of propagating fixes across more than five hundred hardware partners and their respective firmware update cycles remains a practical concern.



