CVE-2025-25277 PUBLISHED

arkcompiler_ets_runtime has a type confusion vulnerability

Assigner: OpenHarmony
Reserved: 02.03.2025 Published: 16.03.2026 Updated: 16.03.2026

in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through using incompatible type. This vulnerability can be exploited only in restricted scenarios.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 6.3

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	OpenHarmony
Product	OpenHarmony
Versions	Default: unaffected affected from v5.0.3 to v5.1.0.x (incl.)

References

https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2025/2025-11.md

Problem Types

CWE-843 Access of resource using incompatible type ('type confusion') CWE