CVE-2021-37095 – This integer overflow vulnerability in Huawei s... (How to Fix)

Q: What is the severity of CVE-2021-37095?

CVE-2021-37095 has a CVSS score of 9.8 (CRITICAL). This integer overflow vulnerability in Huawei smartphones allows attackers to cause denial of service or potentially execute arbitrary code remotely. It affects Huawei devices running HarmonyOS. Successful exploitation could compromise device security and user data.

📋 TL;DR

This integer overflow vulnerability in Huawei smartphones allows attackers to cause denial of service or potentially execute arbitrary code remotely. It affects Huawei devices running HarmonyOS. Successful exploitation could compromise device security and user data.

💻 Affected Systems

Products:

Huawei smartphones

Versions: HarmonyOS versions prior to 2.0.0.230

Operating Systems: HarmonyOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Huawei devices running vulnerable HarmonyOS versions. Exact device models not specified in advisory.

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Remote denial of service causing device crashes or instability, potentially requiring factory reset.

🟢

If Mitigated

Limited impact with proper network segmentation and security controls, potentially only causing temporary service disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

CVSS 9.8 indicates critical severity with network-based attack vector and no authentication required. Specific exploitation details not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS 2.0.0.230 or later

Vendor Advisory: https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727

Restart Required: Yes

Instructions:

1. Check current HarmonyOS version in Settings > System & updates > Software update. 2. If version is prior to 2.0.0.230, download and install the latest update. 3. Restart device after installation completes.

🔧 Temporary Workarounds

Network segmentation

all

Restrict device network access to trusted networks only

Disable unnecessary services

all

Turn off Bluetooth, Wi-Fi, and mobile data when not in use

🧯 If You Can't Patch

Isolate affected devices on separate network segments with strict firewall rules
Implement application allowlisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > System & updates > Software update. If version is below 2.0.0.230, device is vulnerable.

Check Version:

Settings > System & updates > Software update (no CLI command available)

Verify Fix Applied:

Confirm HarmonyOS version is 2.0.0.230 or higher in Settings > System & updates > Software update.

📡 Detection & Monitoring

Log Indicators:

Unexpected device crashes
Abnormal process termination
Memory allocation failures

Network Indicators:

Unusual network traffic to/from Huawei devices
Connection attempts to unexpected ports

SIEM Query:

device_vendor:Huawei AND (event_type:crash OR memory_allocation_failure)

📊 Metadata

CVE ID: CVE-2021-37095

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727 Vendor Advisory
https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37095, you might also want to check these: