Protect Your OpenHarmony Devices: Critical Code Execution Vulnerability Discovered

CVSScvssV3_1: 8.2

Researchers have discovered a vulnerability in OpenHarmony, an open source operating system for smart devices, that could allow hackers to take control of devices running versions 4.0.0 or earlier.

The vulnerability, tracked as CVE-2024-21860, is caused by improper memory management that can result in a “use after free” error. This occurs when a program attempts to use memory that has been freed after a malloc or free. A skilled hacker could potentially exploit this to execute arbitrary code on the device with the same privileges of the application.

An adjacent attacker would only need physical proximity to launch the attack via networking. No user interaction would be required. This makes the vulnerability very serious as it could be exploited remotely once a device is within WiFi or Bluetooth range.

If you have a device running OpenHarmony 4.0.0 or earlier, you should update to the latest version immediately. Always make sure your operating system and applications are updated to the latest versions to protect yourself from known vulnerabilities. Be cautious of unfamiliar devices attempting to connect to your network.

While concerning, staying vigilant about updates and practicing safe connectivity habits can help minimize risk until patches are widely applied by manufacturers and carriers. We appreciate the researchers who responsibly disclose issues like this one to help strengthen security for all.