Three vulnerabilities were disclosed on May 19, 2026 against OpenHarmony v6.0, the open-source OS underpinning Huawei consumer devices and an expanding range of Android-compatible hardware. CVE-2026-27648 (CVSS 8.8) and CVE-2026-24792 (CVSS 8.1) both allow remote arbitrary code execution via pre-installed apps, while CVE-2026-25781 (CVSS 8.4) enables a local denial-of-service through the same attack surface. Developers shipping apps into the Huawei AppGallery or targeting OpenHarmony-compatible devices should assess exposure and monitor the OpenHarmony security advisory channel for patched builds. The pre-installed-app attack surface means end users cannot self-remediate without an OS update, raising urgency for OEM patch distribution. Teams maintaining any native or hybrid code that interacts with system services on OpenHarmony should treat this as a high-priority review item.