Skip to main content

CVE-2025-23235: CWE-125 Out-of-bounds Read in OpenHarmony OpenHarmony

Low
VulnerabilityCVE-2025-23235cvecve-2025-23235cwe-125
Published: Sun Jun 08 2025 (06/08/2025, 11:46:40 UTC)
Source: CVE Database V5
Vendor/Project: OpenHarmony
Product: OpenHarmony

Description

in OpenHarmony v5.0.3 and prior versions allow a local attacker cause DOS through out-of-bounds read.

AI-Powered Analysis

AILast updated: 07/09/2025, 00:41:48 UTC

Technical Analysis

CVE-2025-23235 is a security vulnerability identified in OpenHarmony version 5.0.3 and earlier, specifically affecting version 5.0.1 as noted. The vulnerability is classified as a CWE-125: Out-of-bounds Read, which occurs when a program reads data outside the boundaries of allocated memory. This flaw can be exploited by a local attacker to cause a Denial of Service (DoS) condition. The attack vector requires local access with low privileges (AV:L, PR:L), and no user interaction is needed (UI:N). The vulnerability does not impact confidentiality or integrity but affects availability by causing the affected system or application to crash or become unresponsive due to the out-of-bounds memory read. The CVSS v3.1 base score is 3.3, indicating a low severity level. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability's impact is limited to local users, which reduces its risk profile compared to remote exploits. However, since OpenHarmony is an open-source operating system designed for IoT devices and embedded systems, the vulnerability could affect devices running this OS if exploited locally, potentially disrupting device functionality.

Potential Impact

For European organizations, the impact of CVE-2025-23235 depends largely on the deployment of OpenHarmony-based devices within their infrastructure. OpenHarmony targets IoT and embedded systems, which are increasingly used in industrial control systems, smart city infrastructure, and consumer electronics. A local attacker exploiting this vulnerability could cause device crashes leading to service interruptions or operational downtime. While the vulnerability does not compromise data confidentiality or integrity, availability disruptions in critical IoT devices could affect business continuity, especially in sectors relying on real-time data and automation. The low severity and requirement for local access limit the threat to environments where attackers can gain physical or local network access. Organizations with extensive IoT deployments should assess their exposure, as compromised devices could cascade failures or require costly manual interventions. The lack of known exploits reduces immediate risk but does not eliminate the need for vigilance and proactive mitigation.

Mitigation Recommendations

European organizations should implement the following specific mitigations: 1) Inventory and identify all devices running OpenHarmony, particularly version 5.0.3 and earlier, to assess exposure. 2) Restrict local access to devices by enforcing strict physical security controls and network segmentation to limit attacker proximity. 3) Monitor device logs and behavior for signs of crashes or abnormal restarts that could indicate exploitation attempts. 4) Engage with OpenHarmony community and vendors to obtain patches or updates addressing CVE-2025-23235 as they become available; prioritize timely patching once released. 5) Implement intrusion detection systems capable of detecting anomalous local activity on IoT devices. 6) For critical systems, consider deploying redundancy or failover mechanisms to minimize impact from potential DoS conditions. 7) Educate local administrators and users about the risks of local exploitation and enforce least privilege principles to reduce attack surface.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
OpenHarmony
Date Reserved
2025-03-02T07:18:04.347Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68458da771f4d251b55103c6

Added to database: 6/8/2025, 1:18:31 PM

Last enriched: 7/9/2025, 12:41:48 AM

Last updated: 8/12/2025, 3:02:27 AM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats