Skip to main content

Google Android CVE-2026-0041

| EUVDEUVD-2026-33772 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-01 google_android GHSA-q8r9-3c37-m77m
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:25 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 6.5

DescriptionCVE.org

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible UBSan failure due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Remote denial of service in Google Android 14, 15, 16, and 16-qpr2 stems from an integer overflow in multiple functions of ubsan_throwing_runtime.cpp, the runtime component of Android's Undefined Behavior Sanitizer (UBSan). An authenticated low-privileged attacker over the network can trigger the overflow to crash the affected component, resulting in high availability impact with no user interaction required. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Technical ContextAI

The affected code resides in ubsan_throwing_runtime.cpp, which is part of Android's UBSan (Undefined Behavior Sanitizer) runtime - a compiler-instrumented safety layer that detects undefined behavior such as integer overflows in C/C++ code at runtime. The root cause is CWE-190 (Integer Overflow or Wraparound): arithmetic operations in multiple functions of this runtime file fail to bound-check intermediate values, allowing them to wrap around and produce unexpected or invalid states. Because UBSan's throwing runtime interfaces with the broader Android runtime environment, a triggerable overflow in this component can propagate into a denial-of-service condition. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* with EUVD-confirmed affected versions (Android 14, 15, 16, and 16-qpr2) indicates this is a platform-level issue in the Android application runtime, not a single app or OEM customization.

RemediationAI

Patch available per the Google Android Security Bulletin dated 2026-06-01 at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Users and administrators should apply the June 2026 Android security update as soon as OEM-distributed builds become available for their devices; update timelines vary by manufacturer and carrier. For enterprise environments where patching is delayed, compensating controls include restricting low-privileged account access to affected Android services and enforcing network-level access controls to limit which endpoints can reach potentially vulnerable Android runtime interfaces. No specific workaround for disabling the UBSan throwing runtime is documented - disabling UBSan instrumentation would require recompilation and is not a viable production mitigation. The exact patched build version is not independently confirmed beyond the security bulletin reference.

Share

CVE-2026-0041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy