Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause the system to crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Remote denial of service in Google Android versions 14, 15, 16, and 16-qpr2 stems from an integer overflow across multiple functions in ubsan_throwing_runtime.cpp, a low-level UBSan instrumentation component. An authenticated attacker with low privileges can trigger a full system crash over the network with no user interaction required, achieving complete availability impact (CVSS A:H) with no confidentiality or integrity risk. No public exploit or CISA KEV listing has been identified at time of analysis, and Google addressed the issue in the June 2026 Android Security Bulletin.
Technical ContextAI
The vulnerability originates in ubsan_throwing_runtime.cpp, part of Android's UBSan (Undefined Behavior Sanitizer) throwing runtime - a compile-time instrumentation layer derived from LLVM/Clang that handles exception-based reporting of undefined behavior in sanitized native code. CWE-190 (Integer Overflow or Wraparound) identifies the root cause: integer arithmetic in multiple functions within this runtime exceeds the representable range of the integer type, producing undefined behavior that the runtime cannot gracefully handle, culminating in a system-level crash. Per the CPE identifier cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, the flaw is present across the Android platform broadly, not confined to a single hardware architecture or build variant. The crash behavior (A:H with S:U scope) indicates the overflow corrupts internal runtime state in a way that triggers a fatal failure, impacting availability of the affected Android instance.
RemediationAI
Apply the security fixes published in the June 2026 Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device OEMs should integrate the corresponding security patch level into firmware updates; end users should apply system updates from their device manufacturer as soon as they become available. The exact patched build version or security patch level string (e.g., 2026-06-01 or 2026-06-05) is not independently confirmed beyond the bulletin reference - consult the bulletin directly for patch level verification. No vendor-documented workaround is available in the provided intelligence. As a compensating control where patching is delayed, restricting installation of untrusted third-party applications reduces the pool of potential low-privilege attackers able to trigger the vulnerable code path, at the cost of application ecosystem flexibility. Network-level controls are of limited value given that the attack vector reflects network-reachable triggering through the Android runtime rather than a direct network socket.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33775
GHSA-7q5q-5fv3-fv9g