Skip to main content

Google Android CVE-2026-0042

| EUVDEUVD-2026-33773 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-01 google_android GHSA-5x79-gqqx-wjrq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:25 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.5

DescriptionCVE.org

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Persistent local denial of service in Google Android affects multiple functions within ubsan_throwing_runtime.cpp, where uncontrolled resource exhaustion can render a device or process permanently unavailable without requiring elevated privileges. Confirmed affected versions span Android 14, 15, 16-qpr2, and 16 per the June 2026 Android Security Bulletin. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV; however, the 'persistent' nature of the denial of service - implying state survives process restart or requires manual intervention - elevates practical impact beyond a typical availability disruption.

Technical ContextAI

The vulnerability resides in ubsan_throwing_runtime.cpp, which is part of Android's UBSan (Undefined Behavior Sanitizer) throwing runtime - a component instrumented into Android's C/C++ runtime layer to detect and handle undefined behavior exceptions. In production Android builds, this runtime participates in process-level exception handling. CWE-400 (Uncontrolled Resource Consumption) indicates that one or more functions in this file fail to bound resource allocation - such as memory, file descriptors, or exception objects - when handling specific inputs or internal states. The CPE string (cpe:2.3:a:google:android:*:*:*:*:*:*:*:*) reflects a broad impact across Android as a platform application layer. The keyword 'multiple functions' suggests the resource exhaustion pattern is systemic within the file rather than isolated to a single code path, which may complicate targeted patching.

RemediationAI

Apply the patches distributed via the June 2026 Android Security Bulletin, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. OEM and carrier-distributed Android updates incorporating this bulletin's patch level should be applied as soon as available for affected devices running Android 14, 15, 16-qpr2, or 16. An exact patched version number beyond the bulletin date is not independently confirmed in the available data - confirm your device's security patch level reflects 2026-06-01 or later. If patching is not immediately possible, restricting shell or ADB access to untrusted users on managed devices reduces the attack surface, since exploitation requires local authenticated access (PR:L). Disabling developer options and USB debugging on end-user devices eliminates one common local access vector. Note that these compensating controls do not eliminate the vulnerability for users with legitimate local access (e.g., shared or kiosk devices).

Share

CVE-2026-0042 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy