Login Sign Up

CVE-2021-46890

9.8 CRITICAL

📋 TL;DR

This vulnerability in Huawei GPU modules allows attackers to bypass read/write permission checks, potentially leading to unauthorized access to sensitive data or system compromise. It affects Huawei devices running HarmonyOS with vulnerable GPU drivers. The high CVSS score indicates critical impact potential.

💻 Affected Systems

Products:
  • Huawei smartphones
  • Huawei tablets
  • Huawei devices with HarmonyOS
Versions: HarmonyOS versions prior to security updates in July 2023
Operating Systems: HarmonyOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires GPU module access; affects devices with specific Huawei GPU hardware/drivers

📦 What is this software?

Emui by Huawei

View all CVEs affecting Emui →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code with kernel privileges, access all GPU-accessible memory, and potentially bypass all security controls.

🟠

Likely Case

Unauthorized access to GPU-accessible memory regions leading to information disclosure, privilege escalation, or denial of service affecting GPU functionality.

🟢

If Mitigated

Limited impact if proper isolation controls prevent GPU access from untrusted processes, though some information leakage may still occur.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access or ability to execute code on device; no public exploits known as of knowledge cutoff

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2023 security updates for HarmonyOS

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2023/7/

Restart Required: Yes

Instructions:

1. Check for system updates in device settings. 2. Install July 2023 or later security updates. 3. Reboot device after installation.

🔧 Temporary Workarounds

Restrict GPU access

all

Limit GPU module access to trusted applications only through SELinux/security policies

Disable unnecessary GPU features

all

Disable GPU compute/shader features not required for device operation

🧯 If You Can't Patch

  • Isolate affected devices from untrusted networks and users
  • Implement application allowlisting to prevent untrusted code execution

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone > HarmonyOS version; versions before July 2023 patches are vulnerable

Check Version:

Not applicable via command line on consumer devices; use device settings interface

Verify Fix Applied:

Verify HarmonyOS version shows July 2023 or later security patch level in Settings > About phone

📡 Detection & Monitoring

Log Indicators:

  • Unusual GPU driver access patterns
  • Permission denied errors for GPU operations from unexpected processes
  • Kernel logs showing GPU permission violations

Network Indicators:

  • Not network exploitable; focus on local system monitoring

SIEM Query:

Not applicable for typical consumer device monitoring

📊 Metadata

CVE ID: CVE-2021-46890
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-863
Published: July 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46890, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)