CVE-2021-37046 – This vulnerability in Huawei smartphones allows... (How to Fix)

Q: What is the severity of CVE-2021-37046?

CVE-2021-37046 has a CVSS score of 7.5 (HIGH). This vulnerability in Huawei smartphones allows attackers to trigger memory exhaustion through the codec detection module, causing device restarts. It affects Huawei smartphone users running vulnerable software versions. The memory leak can be exploited to cause denial of service.

📋 TL;DR

This vulnerability in Huawei smartphones allows attackers to trigger memory exhaustion through the codec detection module, causing device restarts. It affects Huawei smartphone users running vulnerable software versions. The memory leak can be exploited to cause denial of service.

💻 Affected Systems

Products:

Huawei smartphones

Versions: Specific versions not detailed in provided references; check Huawei bulletins for exact affected versions.

Operating Systems: HarmonyOS, Android-based Huawei EMUI

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with the vulnerable codec detection module; exact models should be verified via Huawei advisories.

📦 What is this software?

Emui by Huawei

View all CVEs affecting Emui →

Magic Ui by Huawei

View all CVEs affecting Magic Ui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service through repeated exploitation causing continuous device restarts, potentially rendering the device unusable.

🟠

Likely Case

Temporary device restart causing service disruption and potential data loss from unsaved work.

🟢

If Mitigated

Minimal impact if patched or if device has memory monitoring that prevents exhaustion.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious content but can be delivered via web/messaging apps.

🏢 Internal Only: LOW - Primarily affects individual devices rather than internal network infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction with malicious media content; no public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Huawei security bulletins for specific patched versions

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2021/9/

Restart Required: Yes

Instructions:

1. Check for system updates in device settings. 2. Install available security updates. 3. Restart device after update installation.

🔧 Temporary Workarounds

Avoid untrusted media sources

all

Prevent processing of malicious media files that could trigger the vulnerability

Disable automatic media processing

all

Configure apps to not automatically process media files from untrusted sources

🧯 If You Can't Patch

Monitor device for unusual memory usage patterns and restart behavior
Use device management tools to restrict media processing from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check device software version against Huawei security bulletins for September 2021

Check Version:

Settings > About phone > Software information (exact path varies by device)

Verify Fix Applied:

Verify installed software version matches or exceeds patched versions listed in Huawei advisories

📡 Detection & Monitoring

Log Indicators:

Repeated device restarts
High memory usage by media/codec processes
Out of memory errors in system logs

Network Indicators:

Unusual media file downloads preceding restarts

SIEM Query:

Device logs showing pattern: 'memory exhaustion' OR 'out of memory' AND 'codec' OR 'media' process

📊 Metadata

CVE ID: CVE-2021-37046

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

https://consumer.huawei.com/en/support/bulletin/2021/9/ Vendor Advisory
https://consumer.huawei.com/en/support/bulletin/2021/9/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37046, you might also want to check these: