Skip to main content

Google Android CVE-2026-0040

| EUVDEUVD-2026-33771 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-01 google_android GHSA-fpvf-j2jf-ggp7
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:24 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 6.5

DescriptionCVE.org

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Remote denial of service in Google Android 14, 15, 16, and 16-qpr2 is possible via an integer overflow in multiple functions of ubsan_throwing_runtime.cpp, a component of Android's UndefinedBehaviorSanitizer runtime. Network-accessible, low-privileged attackers (CVSS PR:L, AV:N, AC:L) can crash affected devices without requiring user interaction, resulting in availability loss with no confidentiality or integrity impact. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

The vulnerable code resides in ubsan_throwing_runtime.cpp, part of Android's UndefinedBehaviorSanitizer (UBSan) runtime - a compiler instrumentation layer integrated into the Android platform to detect and report undefined behavior at runtime. CWE-190 (Integer Overflow or Wraparound) identifies the root cause: arithmetic operations on integer values that exceed their representable bounds, producing wrapped or truncated results that are then used in ways that cause a crash (e.g., incorrect memory size calculations or out-of-bounds access). The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, covering all architecture variants across Android 14, 15, 16, and 16-qpr2 as enumerated in EUVD-2026-33771.

RemediationAI

Apply the June 2026 Android Security Bulletin patches corresponding to the 2026-06-01 security patch level, as published by Google at https://source.android.com/docs/security/bulletin/2026/2026-06-01. An exact fixed build version number is not independently confirmed from available data beyond the bulletin patch level date. Device users should update to the first available OEM or carrier build that includes the 2026-06-01 patch level. As a compensating control pending patching, restrict network-level access to services or interfaces that could trigger the vulnerable UBSan runtime code paths - this may limit functionality depending on which application-layer features are involved. No side-effect-free workaround that fully mitigates the issue without patching has been identified.

Share

CVE-2026-0040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy