Skip to main content

Google Android CVE-2026-0044

| EUVDEUVD-2026-33775 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-01 google_android GHSA-7q5q-5fv3-fv9g
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:26 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 6.5

DescriptionCVE.org

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause the system to crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Remote denial of service in Google Android versions 14, 15, 16, and 16-qpr2 stems from an integer overflow across multiple functions in ubsan_throwing_runtime.cpp, a low-level UBSan instrumentation component. An authenticated attacker with low privileges can trigger a full system crash over the network with no user interaction required, achieving complete availability impact (CVSS A:H) with no confidentiality or integrity risk. No public exploit or CISA KEV listing has been identified at time of analysis, and Google addressed the issue in the June 2026 Android Security Bulletin.

Technical ContextAI

The vulnerability originates in ubsan_throwing_runtime.cpp, part of Android's UBSan (Undefined Behavior Sanitizer) throwing runtime - a compile-time instrumentation layer derived from LLVM/Clang that handles exception-based reporting of undefined behavior in sanitized native code. CWE-190 (Integer Overflow or Wraparound) identifies the root cause: integer arithmetic in multiple functions within this runtime exceeds the representable range of the integer type, producing undefined behavior that the runtime cannot gracefully handle, culminating in a system-level crash. Per the CPE identifier cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, the flaw is present across the Android platform broadly, not confined to a single hardware architecture or build variant. The crash behavior (A:H with S:U scope) indicates the overflow corrupts internal runtime state in a way that triggers a fatal failure, impacting availability of the affected Android instance.

RemediationAI

Apply the security fixes published in the June 2026 Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device OEMs should integrate the corresponding security patch level into firmware updates; end users should apply system updates from their device manufacturer as soon as they become available. The exact patched build version or security patch level string (e.g., 2026-06-01 or 2026-06-05) is not independently confirmed beyond the bulletin reference - consult the bulletin directly for patch level verification. No vendor-documented workaround is available in the provided intelligence. As a compensating control where patching is delayed, restricting installation of untrusted third-party applications reduces the pool of potential low-privilege attackers able to trigger the vulnerable code path, at the cost of application ecosystem flexibility. Network-level controls are of limited value given that the attack vector reflects network-reachable triggering through the Android runtime rather than a direct network socket.

Share

CVE-2026-0044 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy