Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Remote denial of service in Google Android 14, 15, 16, and 16-qpr2 is possible via an integer overflow in multiple functions of ubsan_throwing_runtime.cpp, a component of Android's UndefinedBehaviorSanitizer runtime. Network-accessible, low-privileged attackers (CVSS PR:L, AV:N, AC:L) can crash affected devices without requiring user interaction, resulting in availability loss with no confidentiality or integrity impact. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Technical ContextAI
The vulnerable code resides in ubsan_throwing_runtime.cpp, part of Android's UndefinedBehaviorSanitizer (UBSan) runtime - a compiler instrumentation layer integrated into the Android platform to detect and report undefined behavior at runtime. CWE-190 (Integer Overflow or Wraparound) identifies the root cause: arithmetic operations on integer values that exceed their representable bounds, producing wrapped or truncated results that are then used in ways that cause a crash (e.g., incorrect memory size calculations or out-of-bounds access). The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, covering all architecture variants across Android 14, 15, 16, and 16-qpr2 as enumerated in EUVD-2026-33771.
RemediationAI
Apply the June 2026 Android Security Bulletin patches corresponding to the 2026-06-01 security patch level, as published by Google at https://source.android.com/docs/security/bulletin/2026/2026-06-01. An exact fixed build version number is not independently confirmed from available data beyond the bulletin patch level date. Device users should update to the first available OEM or carrier build that includes the 2026-06-01 patch level. As a compensating control pending patching, restrict network-level access to services or interfaces that could trigger the vulnerable UBSan runtime code paths - this may limit functionality depending on which application-layer features are involved. No side-effect-free workaround that fully mitigates the issue without patching has been identified.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33771
GHSA-fpvf-j2jf-ggp7