We have identified a new vulnerability in Huawei’s Hypervisor implementation. The vulnerability can be exploited to bypass Huawei’s HKIP (Kernel Integrity Protection) exploit mitigations.

The vulnerability we are disclosing in this advisory affected a wide range of Huawei devices, including phones on the newest chipsets. The vendor did not produce a fix/CVE for the reported vulnerability.

Vulnerability Details

Thew Huawei Hypervisor Execution Environment (HEE) implements additional memory address protection of the Linux Kernel by restricting certain memory accesses using 2nd stage translation.

However, the HEE also exposes an api to the Linux Kernel via Hypervisor Calls (HVC) that can be directly used to modify the stage 2 translation tables and therefore remove the protections, bypassing the intented exploit mitigation entirely.

Specifically, checkroot protections can be bypassed by issuing HKIP_HVC_ROWM_SET_BIT HVC calls, and SELinux object protections can be bypassed by issuing HKIP_HVC_RO_MOD_UNREGISTER calls.

For more details, see (this)[https://labs.taszk.io/articles/post/hypervisor1/] blog post.

Affected Devices

Huawei devices with various Kirin chipsets implementing HKIP.

Fix

N/A

Timeline

• 2021.11.29. Bug reported to Huawei PSIRT
• 2022.02.25. Huawei communicates that the vulnerability is considered out-of-scope and will not be given a CVE
• 2025.10.01. Advisory release