Skip to main content

Google Android CVE-2026-0080

| EUVDEUVD-2026-33796 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-01 google_android GHSA-c384-wv8g-w394
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:33 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 6.5

DescriptionCVE.org

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Integer overflow in Google Android's ubsan_throwing_runtime.cpp enables remote denial of service across Android 14, 15, 16, and 16-qpr2. A network-accessible low-privileged attacker can trigger a process crash through crafted input targeting multiple functions in this runtime component, resulting in complete availability loss with no user interaction required. No public exploit code has been identified at time of analysis, and Google addressed the issue in the June 2026 Android Security Bulletin.

Technical ContextAI

The vulnerability resides in ubsan_throwing_runtime.cpp, part of the Undefined Behavior Sanitizer (UBSan) runtime embedded in Android. UBSan is a compiler-instrumented runtime designed to detect undefined behavior - including integer overflows - making it notable that the vulnerability itself is a CWE-190 integer overflow within that sanitizer runtime. When arithmetic operations across multiple functions in this file produce values exceeding the bounds of their integer type, the resulting wraparound corrupts internal state or control flow, causing a process crash. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* confirms scope covers the Android application platform across all architectures. The CVSS vector AV:N/AC:L indicates this component processes or is reachable via externally supplied network data, and the low attack complexity suggests no unusual preconditions for triggering the overflow path.

RemediationAI

Apply the security patches published in the Android Security Bulletin dated 2026-06-01, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. No exact patched build string or version tag was independently confirmed from the available references - the fix is attributed to the June 2026 patch level but not verified to a specific tagged release. OEM device manufacturers and enterprise MDM administrators should prioritize distributing the corresponding June 2026 security update to managed fleets running Android 14, 15, 16, or 16-qpr2. As a compensating control pending patch deployment, restricting network-accessible Android services that invoke UBSan runtime components can reduce exposure, though the precise attack surface within those services is not fully characterized from available data. Limiting low-privileged account access to system-level services may provide marginal risk reduction at the cost of application functionality.

Share

CVE-2026-0080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy