Skip to main content

Google Android CVE-2026-0067

| EUVDEUVD-2026-33787 MEDIUM
2026-06-01 google_android GHSA-h554-cqp4-xfwr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:31 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.5

DescriptionCVE.org

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a permanent denial of service due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Permanent local denial of service in Google Android (versions 14, 15, 16, and 16-qpr2) is possible through a logic error in multiple functions of ubsan_throwing_runtime.cpp, Android's Undefined Behavior Sanitizer throwing runtime. A low-privileged local user can trigger the flaw without any user interaction, causing an unrecoverable availability failure in the affected component - requiring a reboot or process restart to restore normal function. No public exploit code exists and no CISA KEV listing is present at time of analysis, indicating this is not currently under widespread active exploitation.

Technical ContextAI

The affected component is ubsan_throwing_runtime.cpp, part of Android's UBSan (Undefined Behavior Sanitizer) throwing runtime - a C++ system library responsible for detecting undefined behavior and dispatching exceptions in sanitized runtime environments. A logic error in this file's functions causes the runtime to enter a state from which it cannot self-recover, resulting in a permanent availability impact rather than a transient crash. The CPE string cpe:2.3:a:google:android covers all four affected Android release trains: 14, 15, 16, and 16-qpr2. CWE is formally listed as N/A by the reporter; however, the 'logic error' characterization is consistent with state/control-flow management flaws (e.g., CWE-670 or CWE-754 class). The CVSS scope is Unchanged (S:U), confirming impact is contained within the vulnerable component's security boundary and does not escalate to kernel or other processes.

RemediationAI

Apply the June 2026 Android Security Bulletin patch addressing CVE-2026-0067, referenced at https://source.android.com/docs/security/bulletin/2026/2026-06-01, covering Android 14, 15, 16, and 16-qpr2. An exact patched build version number is not independently confirmed from the available intelligence - OEM-distributed updates (e.g., Samsung, Pixel, OnePlus) will carry device-specific patch levels. Users should verify their device's Security Patch Level reflects 2026-06-01 or later. As a compensating control where patching is delayed: restrict untrusted local application execution privileges and enforce application sandboxing to limit which processes can invoke the affected runtime component. This trade-off accepts reduced application functionality in exchange for reduced exposure to the DoS trigger surface.

Share

CVE-2026-0067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy