Login Sign Up

CVE-2021-46893

7.5 HIGH

📋 TL;DR

This CVE describes a vulnerability in Huawei/HarmonyOS systems where insufficient data verification and parameter checking could allow attackers to compromise system integrity. The vulnerability affects Huawei consumer devices running HarmonyOS. Successful exploitation could allow unauthorized modification of system data or settings.

💻 Affected Systems

Products:
  • Huawei smartphones
  • Huawei tablets
  • HarmonyOS devices
Versions: HarmonyOS versions prior to security updates released in July 2023
Operating Systems: HarmonyOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Huawei consumer devices running vulnerable HarmonyOS versions. Enterprise/cloud products may not be affected.

📦 What is this software?

Emui by Huawei

View all CVEs affecting Emui →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could modify critical system files, install persistent malware, or gain elevated privileges on affected devices.

🟠

Likely Case

Local attackers with some access could manipulate application data or system settings to bypass security controls.

🟢

If Mitigated

With proper access controls and monitoring, impact would be limited to non-critical system components.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation likely requires some level of local access or compromised application. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS security updates from July 2023 onward

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2023/7/

Restart Required: Yes

Instructions:

1. Check for system updates in device Settings > System & updates > Software update. 2. Download and install available security updates. 3. Restart device when prompted.

🔧 Temporary Workarounds

Restrict local access

all

Limit physical and application access to vulnerable devices

🧯 If You Can't Patch

  • Isolate affected devices from critical networks
  • Implement strict application whitelisting and monitoring

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone > HarmonyOS version. Compare against July 2023 security bulletin.

Check Version:

Settings > About phone > HarmonyOS version

Verify Fix Applied:

Verify HarmonyOS version is updated to include July 2023 security patches. Check last update date in Settings > System & updates > Software update.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected system file modifications
  • Unauthorized privilege escalation attempts
  • Suspicious application behavior

Network Indicators:

  • Unusual outbound connections from affected devices

SIEM Query:

Device logs showing unexpected system modifications or privilege changes on HarmonyOS devices

📊 Metadata

CVE ID: CVE-2021-46893
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-1284
Published: July 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46893, you might also want to check these:

CVE-2024-8887 10.0

CVE-2024-8887 is an authentication bypass vulnerability in CIRCUTOR Q-SMT firmware that allows attac...

Same vulnerability type (CWE-1284)
CVE-2025-55398 9.8

A vulnerability in mouse07410 asn1c through version 0.9.29 allows attackers to bypass INTEGER constr...

Same vulnerability type (CWE-1284)
CVE-2021-31556 9.8

This vulnerability in MediaWiki's OAuth extension allows attackers to cause denial of service or pot...

Same vulnerability type (CWE-1284)