Skip to main content

Google Android EUVDEUVD-2026-33781

| CVE-2026-0052 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-01 google_android GHSA-hh3g-2wmg-w3jv
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:26 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 6.5

DescriptionCVE.org

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Remote denial of service in Google Android (versions 14, 15, 16, and 16-qpr2) is achievable by an authenticated network attacker exploiting an integer overflow in multiple functions of ubsan_throwing_runtime.cpp. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity network exploitation requiring only low-privilege authentication and no user interaction, resulting in a full availability impact (A:H). No public exploit code or CISA KEV listing has been identified at time of analysis, though the broad version coverage across current and recent Android releases makes this a notable patching priority.

Technical ContextAI

The vulnerability resides in ubsan_throwing_runtime.cpp, which is part of the UndefinedBehaviorSanitizer (UBSan) throwing runtime - a compiler instrumentation layer embedded in the Android platform that detects and reports undefined behavior at runtime. CWE-190 (Integer Overflow or Wraparound) identifies the root cause: arithmetic operations in multiple functions of this component fail to validate intermediate integer values, allowing them to wrap or overflow in a way that triggers a crash condition. Because UBSan runtime support is deeply integrated into Android's native execution environment, the crash surface is systemic rather than confined to a single application. The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, spanning the Android platform as reported by google_android.

RemediationAI

The primary remediation is to apply the patches published in the Android Security Bulletin for 2026-06-01, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device manufacturers (OEMs) and carriers must integrate and distribute these patches; end users should apply Android system updates as soon as OEM-distributed updates become available. An exact patched version number was not independently confirmed from the available input data - verify the specific security patch level (SPL) from the bulletin. For environments where patching is delayed, restricting authenticated access to services that invoke UBSan runtime paths - for example, limiting network-exposed Android services to trusted internal segments - can reduce the attack surface. This compensating control does not eliminate the vulnerability and may affect service availability for legitimate users.

Share

EUVD-2026-33781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy