Skip to main content

Google Android CVE-2026-0051

| EUVDEUVD-2026-33780 MEDIUM
Improper Input Validation (CWE-20)
2026-06-01 google_android GHSA-pvv5-98w3-h66j
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:26 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 6.5

DescriptionCVE.org

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Remote denial-of-service in Google Android's UBSan runtime (ubsan_throwing_runtime.cpp) allows a low-privileged network attacker to crash the system across Android 14, 15, 16, and 16-qpr2. The flaw stems from improper input validation in multiple functions of the Undefined Behavior Sanitizer throwing runtime, a component integrated into Android's native code execution layer. No user interaction is required and no public exploit has been identified at time of analysis; the vulnerability is addressed in the June 2026 Android Security Bulletin.

Technical ContextAI

The affected file ubsan_throwing_runtime.cpp is part of Android's Undefined Behavior Sanitizer (UBSan) runtime library - a compiler-instrumented component that detects and handles undefined behavior at runtime, including type mismatches and out-of-bounds accesses in native (C/C++) code. Multiple functions within this runtime fail to properly validate external input (CWE-20: Improper Input Validation), meaning crafted data reaching these functions can trigger unhandled error paths that crash the runtime process. Because UBSan runtime code can be invoked via network-accessible Android services or APIs that surface native processing, the attack vector is classified as network (AV:N). The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* confirms the vulnerability exists at the Android application platform layer across a broad version range, including stable releases 14, 15, 16, and the QPR2 feature drop of Android 16.

RemediationAI

Apply the June 2026 Android Security Bulletin patch, available via https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device OEMs and carriers typically distribute this as a monthly security patch level (SPL) update; ensure devices are updated to the 2026-06-01 SPL or later. An exact patched version number has not been independently confirmed from available data - the fix version is described by bulletin date rather than a discrete release tag. As a compensating control where patching is delayed, restrict network-level access to Android services that invoke native runtime code processing external input, such as through enterprise MDM network segmentation policies. This reduces exposure surface but does not eliminate the underlying vulnerability and may impact legitimate service functionality.

Share

CVE-2026-0051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy