Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Persistent local denial of service in Google Android affects multiple functions within ubsan_throwing_runtime.cpp, where uncontrolled resource exhaustion can render a device or process permanently unavailable without requiring elevated privileges. Confirmed affected versions span Android 14, 15, 16-qpr2, and 16 per the June 2026 Android Security Bulletin. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV; however, the 'persistent' nature of the denial of service - implying state survives process restart or requires manual intervention - elevates practical impact beyond a typical availability disruption.
Technical ContextAI
The vulnerability resides in ubsan_throwing_runtime.cpp, which is part of Android's UBSan (Undefined Behavior Sanitizer) throwing runtime - a component instrumented into Android's C/C++ runtime layer to detect and handle undefined behavior exceptions. In production Android builds, this runtime participates in process-level exception handling. CWE-400 (Uncontrolled Resource Consumption) indicates that one or more functions in this file fail to bound resource allocation - such as memory, file descriptors, or exception objects - when handling specific inputs or internal states. The CPE string (cpe:2.3:a:google:android:*:*:*:*:*:*:*:*) reflects a broad impact across Android as a platform application layer. The keyword 'multiple functions' suggests the resource exhaustion pattern is systemic within the file rather than isolated to a single code path, which may complicate targeted patching.
RemediationAI
Apply the patches distributed via the June 2026 Android Security Bulletin, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. OEM and carrier-distributed Android updates incorporating this bulletin's patch level should be applied as soon as available for affected devices running Android 14, 15, 16-qpr2, or 16. An exact patched version number beyond the bulletin date is not independently confirmed in the available data - confirm your device's security patch level reflects 2026-06-01 or later. If patching is not immediately possible, restricting shell or ADB access to untrusted users on managed devices reduces the attack surface, since exploitation requires local authenticated access (PR:L). Disabling developer options and USB debugging on end-user devices eliminates one common local access vector. Note that these compensating controls do not eliminate the vulnerability for users with legitimate local access (e.g., shared or kiosk devices).
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33773
GHSA-5x79-gqqx-wjrq