Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a permanent denial of service due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Permanent local denial of service in Google Android (versions 14, 15, 16, and 16-qpr2) is possible through a logic error in multiple functions of ubsan_throwing_runtime.cpp, Android's Undefined Behavior Sanitizer throwing runtime. A low-privileged local user can trigger the flaw without any user interaction, causing an unrecoverable availability failure in the affected component - requiring a reboot or process restart to restore normal function. No public exploit code exists and no CISA KEV listing is present at time of analysis, indicating this is not currently under widespread active exploitation.
Technical ContextAI
The affected component is ubsan_throwing_runtime.cpp, part of Android's UBSan (Undefined Behavior Sanitizer) throwing runtime - a C++ system library responsible for detecting undefined behavior and dispatching exceptions in sanitized runtime environments. A logic error in this file's functions causes the runtime to enter a state from which it cannot self-recover, resulting in a permanent availability impact rather than a transient crash. The CPE string cpe:2.3:a:google:android covers all four affected Android release trains: 14, 15, 16, and 16-qpr2. CWE is formally listed as N/A by the reporter; however, the 'logic error' characterization is consistent with state/control-flow management flaws (e.g., CWE-670 or CWE-754 class). The CVSS scope is Unchanged (S:U), confirming impact is contained within the vulnerable component's security boundary and does not escalate to kernel or other processes.
RemediationAI
Apply the June 2026 Android Security Bulletin patch addressing CVE-2026-0067, referenced at https://source.android.com/docs/security/bulletin/2026/2026-06-01, covering Android 14, 15, 16, and 16-qpr2. An exact patched build version number is not independently confirmed from the available intelligence - OEM-distributed updates (e.g., Samsung, Pixel, OnePlus) will carry device-specific patch levels. Users should verify their device's Security Patch Level reflects 2026-06-01 or later. As a compensating control where patching is delayed: restrict untrusted local application execution privileges and enforce application sandboxing to limit which processes can invoke the affected runtime component. This trade-off accepts reduced application functionality in exchange for reduced exposure to the DoS trigger surface.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33787
GHSA-h554-cqp4-xfwr