Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Integer overflow in Google Android's ubsan_throwing_runtime.cpp enables remote denial of service across Android 14, 15, 16, and 16-qpr2. A network-accessible low-privileged attacker can trigger a process crash through crafted input targeting multiple functions in this runtime component, resulting in complete availability loss with no user interaction required. No public exploit code has been identified at time of analysis, and Google addressed the issue in the June 2026 Android Security Bulletin.
Technical ContextAI
The vulnerability resides in ubsan_throwing_runtime.cpp, part of the Undefined Behavior Sanitizer (UBSan) runtime embedded in Android. UBSan is a compiler-instrumented runtime designed to detect undefined behavior - including integer overflows - making it notable that the vulnerability itself is a CWE-190 integer overflow within that sanitizer runtime. When arithmetic operations across multiple functions in this file produce values exceeding the bounds of their integer type, the resulting wraparound corrupts internal state or control flow, causing a process crash. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* confirms scope covers the Android application platform across all architectures. The CVSS vector AV:N/AC:L indicates this component processes or is reachable via externally supplied network data, and the low attack complexity suggests no unusual preconditions for triggering the overflow path.
RemediationAI
Apply the security patches published in the Android Security Bulletin dated 2026-06-01, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. No exact patched build string or version tag was independently confirmed from the available references - the fix is attributed to the June 2026 patch level but not verified to a specific tagged release. OEM device manufacturers and enterprise MDM administrators should prioritize distributing the corresponding June 2026 security update to managed fleets running Android 14, 15, 16, or 16-qpr2. As a compensating control pending patch deployment, restricting network-accessible Android services that invoke UBSan runtime components can reduce exposure, though the precise attack surface within those services is not fully characterized from available data. Limiting low-privileged account access to system-level services may provide marginal risk reduction at the cost of application functionality.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33796
GHSA-c384-wv8g-w394