Login Sign Up

CVE-2021-22480

9.8 CRITICAL

📋 TL;DR

CVE-2021-22480 is an integer overflow vulnerability in a HarmonyOS module interface that can lead to heap memory overflow when exploited. This vulnerability affects Huawei HarmonyOS devices and could allow attackers to execute arbitrary code or cause denial of service. The high CVSS score of 9.8 indicates critical severity.

💻 Affected Systems

Products:
  • Huawei HarmonyOS
Versions: HarmonyOS 2.0 versions prior to 2.0.0.230
Operating Systems: HarmonyOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Huawei smartphones, tablets, and IoT devices running vulnerable HarmonyOS versions

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation

🟠

Likely Case

Application crash or denial of service affecting device functionality

🟢

If Mitigated

Limited impact with proper network segmentation and access controls

🌐 Internet-Facing: HIGH - Affects HarmonyOS devices that may be exposed to network attacks
🏢 Internal Only: MEDIUM - Requires attacker access to internal network or malicious app installation

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Integer overflow vulnerabilities typically require specific conditions to trigger memory corruption

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS 2.0.0.230 and later

Vendor Advisory: https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727

Restart Required: Yes

Instructions:

1. Check current HarmonyOS version in Settings > About phone > HarmonyOS version. 2. If version is earlier than 2.0.0.230, go to Settings > System & updates > Software update. 3. Download and install the latest update. 4. Restart device after installation completes.

🔧 Temporary Workarounds

Network segmentation

all

Isolate HarmonyOS devices from untrusted networks and limit network exposure

Application control

all

Restrict installation of untrusted applications through device policies

🧯 If You Can't Patch

  • Isolate affected devices in separate network segments with strict firewall rules
  • Implement application allowlisting to prevent malicious app execution

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone > HarmonyOS version. If version is earlier than 2.0.0.230, device is vulnerable.

Check Version:

Not applicable - check through device settings interface

Verify Fix Applied:

Verify HarmonyOS version is 2.0.0.230 or later in Settings > About phone > HarmonyOS version

📡 Detection & Monitoring

Log Indicators:

  • Application crashes related to memory corruption
  • Unexpected process termination in system logs

Network Indicators:

  • Unusual network traffic from HarmonyOS devices
  • Attempts to exploit memory corruption patterns

SIEM Query:

Not provided - monitor for HarmonyOS device crashes and memory-related errors

📊 Metadata

CVE ID: CVE-2021-22480
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: February 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22480, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)