Skip to main content

Google Android CVE-2026-0043

| EUVDEUVD-2026-33774 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-01 google_android GHSA-xr2g-57fm-4f25
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:26 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.5

DescriptionCVE.org

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Persistent denial of service and local privilege escalation in Google Android's UBSan runtime component affect Android 14, 15, 16-qpr2, and 16, stemming from an integer overflow in multiple functions of ubsan_throwing_runtime.cpp. An authenticated local attacker with low-level privileges and no required user interaction can exploit this overflow to trigger persistent availability loss and, per the description, possible privilege escalation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

The vulnerability resides in ubsan_throwing_runtime.cpp, a component of Android's Undefined Behavior Sanitizer (UBSan) runtime - a compiler-instrumented safety layer that detects and handles undefined behavior such as out-of-bounds accesses and signed integer overflows at runtime. CWE-190 (Integer Overflow or Wraparound) describes the root cause: arithmetic operations on integer values exceed the representable range of the data type, causing the result to wrap around to an unintended value. In the context of a runtime support library managing exception dispatch and sanitizer signal handling, such overflows can corrupt internal state or size calculations governing memory operations, potentially enabling both persistent denial of service and privilege escalation. The affected CPE (cpe:2.3:a:google:android:*:*:*:*:*:*:*:*) spans multiple Android release branches as enumerated by EUVD-2026-33774.

RemediationAI

Apply patches included in Google's Android Security Bulletin for 2026-06-01, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. OEM and carrier distributions should incorporate these patches into over-the-air updates; device owners should apply pending system updates promptly. Note that an exact patched build version number was not independently confirmed from the available reference data - consult the bulletin directly for specific patch level identifiers. If immediate patching is not feasible, restricting untrusted local code execution, enforcing strict app sandboxing policies, and limiting interactive shell access to the device reduce exposure, though none of these controls eliminate the underlying vulnerability. Enterprise MDM policies enforcing minimum Android security patch levels can serve as a compensating detection and enforcement control while OEM rollouts are pending.

Share

CVE-2026-0043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy