Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible UBSan failure due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Remote denial of service in Google Android 14, 15, 16, and 16-qpr2 stems from an integer overflow in multiple functions of ubsan_throwing_runtime.cpp, the runtime component of Android's Undefined Behavior Sanitizer (UBSan). An authenticated low-privileged attacker over the network can trigger the overflow to crash the affected component, resulting in high availability impact with no user interaction required. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Technical ContextAI
The affected code resides in ubsan_throwing_runtime.cpp, which is part of Android's UBSan (Undefined Behavior Sanitizer) runtime - a compiler-instrumented safety layer that detects undefined behavior such as integer overflows in C/C++ code at runtime. The root cause is CWE-190 (Integer Overflow or Wraparound): arithmetic operations in multiple functions of this runtime file fail to bound-check intermediate values, allowing them to wrap around and produce unexpected or invalid states. Because UBSan's throwing runtime interfaces with the broader Android runtime environment, a triggerable overflow in this component can propagate into a denial-of-service condition. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* with EUVD-confirmed affected versions (Android 14, 15, 16, and 16-qpr2) indicates this is a platform-level issue in the Android application runtime, not a single app or OEM customization.
RemediationAI
Patch available per the Google Android Security Bulletin dated 2026-06-01 at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Users and administrators should apply the June 2026 Android security update as soon as OEM-distributed builds become available for their devices; update timelines vary by manufacturer and carrier. For enterprise environments where patching is delayed, compensating controls include restricting low-privileged account access to affected Android services and enforcing network-level access controls to limit which endpoints can reach potentially vulnerable Android runtime interfaces. No specific workaround for disabling the UBSan throwing runtime is documented - disabling UBSan instrumentation would require recompilation and is not a viable production mitigation. The exact patched build version is not independently confirmed beyond the security bulletin reference.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33772
GHSA-q8r9-3c37-m77m