CVE-2025-0302 – An integer overflow vulnerability in OpenHarmon... (How to Fix)

Q: What is the severity of CVE-2025-0302?

CVE-2025-0302 has a CVSS score of 5.5 (MEDIUM). An integer overflow vulnerability in OpenHarmony v4.1.2 and earlier allows local attackers to cause denial of service (DoS) by triggering system crashes or instability. This affects systems running vulnerable OpenHarmony versions where an attacker has local access.

📋 TL;DR

An integer overflow vulnerability in OpenHarmony v4.1.2 and earlier allows local attackers to cause denial of service (DoS) by triggering system crashes or instability. This affects systems running vulnerable OpenHarmony versions where an attacker has local access.

💻 Affected Systems

Products:

OpenHarmony

Versions: v4.1.2 and prior versions

Operating Systems: OpenHarmony-based systems

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected OpenHarmony versions are vulnerable. Requires local attacker access.

📦 What is this software?

Openharmony by Openatom

View all CVEs affecting Openharmony →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash or instability requiring reboot, potentially disrupting device functionality and availability.

🟠

Likely Case

Application or service crashes affecting specific functionality without complete system failure.

🟢

If Mitigated

Minimal impact with proper access controls limiting local attacker privileges.

🌐 Internet-Facing: LOW - Requires local access, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local attackers with access to vulnerable systems can cause service disruption.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and specific conditions to trigger the integer overflow. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenHarmony v4.1.3 or later

Vendor Advisory: https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-02.md

Restart Required: Yes

Instructions:

1. Check current OpenHarmony version. 2. Update to v4.1.3 or later via official channels. 3. Reboot system after update. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Restrict local access

all

Limit local user privileges and access to vulnerable systems

# Implement least privilege principles for local users
# Review and restrict local account permissions

🧯 If You Can't Patch

Implement strict access controls to limit local user privileges
Monitor systems for abnormal crashes or instability and isolate affected devices

🔍 How to Verify

Check if Vulnerable:

Check OpenHarmony version: 'getprop ro.build.version.ohos' or equivalent system command

Check Version:

getprop ro.build.version.ohos

Verify Fix Applied:

Verify version is v4.1.3 or later and test system stability

📡 Detection & Monitoring

Log Indicators:

System crash logs
Kernel panic messages
Application/service abnormal termination

Network Indicators:

None - local vulnerability only

SIEM Query:

Search for: 'system crash', 'kernel panic', 'segmentation fault' in system logs

📊 Metadata

CVE ID: CVE-2025-0302

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-190

EPSS Score: 0.03% exploit probability (7.3th percentile)

Published: February 7, 2025

Last Updated: February 11, 2025

🔗 References

https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-02.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0302, you might also want to check these: