Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Remote denial-of-service in Google Android's UBSan runtime (ubsan_throwing_runtime.cpp) allows a low-privileged network attacker to crash the system across Android 14, 15, 16, and 16-qpr2. The flaw stems from improper input validation in multiple functions of the Undefined Behavior Sanitizer throwing runtime, a component integrated into Android's native code execution layer. No user interaction is required and no public exploit has been identified at time of analysis; the vulnerability is addressed in the June 2026 Android Security Bulletin.
Technical ContextAI
The affected file ubsan_throwing_runtime.cpp is part of Android's Undefined Behavior Sanitizer (UBSan) runtime library - a compiler-instrumented component that detects and handles undefined behavior at runtime, including type mismatches and out-of-bounds accesses in native (C/C++) code. Multiple functions within this runtime fail to properly validate external input (CWE-20: Improper Input Validation), meaning crafted data reaching these functions can trigger unhandled error paths that crash the runtime process. Because UBSan runtime code can be invoked via network-accessible Android services or APIs that surface native processing, the attack vector is classified as network (AV:N). The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* confirms the vulnerability exists at the Android application platform layer across a broad version range, including stable releases 14, 15, 16, and the QPR2 feature drop of Android 16.
RemediationAI
Apply the June 2026 Android Security Bulletin patch, available via https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device OEMs and carriers typically distribute this as a monthly security patch level (SPL) update; ensure devices are updated to the 2026-06-01 SPL or later. An exact patched version number has not been independently confirmed from available data - the fix version is described by bulletin date rather than a discrete release tag. As a compensating control where patching is delayed, restrict network-level access to Android services that invoke native runtime code processing external input, such as through enterprise MDM network segmentation policies. This reduces exposure surface but does not eliminate the underlying vulnerability and may impact legitimate service functionality.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33780
GHSA-pvv5-98w3-h66j