CVE-2021-37015 – This is an out-of-bounds read vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2021-37015?

CVE-2021-37015 has a CVSS score of 7.5 (HIGH). This is an out-of-bounds read vulnerability in Huawei smartphone kernels that allows attackers to read memory beyond allocated buffers. Successful exploitation can cause kernel crashes, leading to denial of service. Affected devices include Huawei smartphones running HarmonyOS or EMUI.

📋 TL;DR

This is an out-of-bounds read vulnerability in Huawei smartphone kernels that allows attackers to read memory beyond allocated buffers. Successful exploitation can cause kernel crashes, leading to denial of service. Affected devices include Huawei smartphones running HarmonyOS or EMUI.

💻 Affected Systems

Products:

Huawei smartphones

Versions: HarmonyOS 2.0 versions before 2.0.0.230, EMUI versions before specific August 2021 security patches

Operating Systems: HarmonyOS, EMUI

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Huawei devices with specific kernel versions; exact device models not specified in advisory.

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel crash causing device reboot and potential data corruption or permanent device instability.

🟠

Likely Case

Temporary denial of service through device crash/reboot, disrupting device functionality.

🟢

If Mitigated

No impact if patched; unpatched devices remain vulnerable to crashes.

🌐 Internet-Facing: LOW - Requires local access or malicious app installation, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Malicious apps or local attackers could exploit to crash devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access or malicious app execution; no public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS 2.0.0.230 and later, EMUI with August 2021 security patches

Vendor Advisory: https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202108-0000001180965965

Restart Required: Yes

Instructions:

1. Check for system updates in device Settings > System & updates > Software update. 2. Install available security updates. 3. Reboot device after installation.

🔧 Temporary Workarounds

Restrict app installations

all

Only install apps from trusted sources like official app stores to reduce risk of malicious apps exploiting the vulnerability.

🧯 If You Can't Patch

Isolate affected devices from critical networks and limit user access.
Monitor for unusual device crashes or reboots as potential exploitation indicators.

🔍 How to Verify

Check if Vulnerable:

Check device OS version in Settings > About phone > HarmonyOS version or EMUI version.

Check Version:

Not applicable - check via device settings UI.

Verify Fix Applied:

Verify OS version is HarmonyOS 2.0.0.230+ or EMUI with August 2021+ security patches.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Unexpected device reboots
Crash reports in system logs

Network Indicators:

None - local exploitation only

SIEM Query:

Not applicable for typical mobile device management.

📊 Metadata

CVE ID: CVE-2021-37015

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: November 23, 2021

Last Updated: November 21, 2024

🔗 References

https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202108-0000001180965965 Vendor Advisory
https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202108-0000001180965965 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37015, you might also want to check these: