Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to an integer overflow. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Integer overflow in Android's UBSan throwing runtime (ubsan_throwing_runtime.cpp) enables a local attacker with low privileges to cause a persistent denial of service across Android 14 through Android 16 QPR2. The flaw affects multiple functions within the file and requires no user interaction to trigger, making it exploitable by a malicious on-device application without elevated privileges. No public exploit identified at time of analysis, and the local-only attack vector constrains real-world scope, but the persistent nature of the availability impact elevates operational concern over transient crash-based DoS.
Technical ContextAI
The vulnerability resides in ubsan_throwing_runtime.cpp, which is part of Android's UBSan (Undefined Behavior Sanitizer) throwing runtime library - a compiler-instrumented component responsible for raising exceptions when undefined behavior is detected at runtime. CWE-190 (Integer Overflow or Wraparound) identifies the root cause: one or more arithmetic operations in multiple functions of this file can exceed the maximum representable value of the integer type, causing a silent wraparound to an unintended value. This corrupted value is then used in a way that triggers a persistent denial of service, meaning the disruption is not self-resolving on process restart. CPE data (cpe:2.3:a:google:android:*:*:*:*:*:*:*:*) confirms the affected component is within Google's Android platform itself, spanning versions 14 through 16 QPR2 per EUVD-2026-33795.
RemediationAI
Apply the patches released in the June 2026 Android Security Bulletin available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. The exact patched build version is not independently confirmed in the available input data beyond the bulletin reference - consult the bulletin directly for patch levels. OEM and carrier deployments of Android 14 through 16 QPR2 should monitor their respective vendor security update channels, as patch delivery timelines vary. As a compensating control where patching is delayed, restricting sideloaded or untrusted application installation (via managed device policy) reduces the attack surface by limiting which low-privilege processes can trigger the vulnerable code path. This mitigation does not eliminate risk from legitimate low-privilege apps already present on the device.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33795
GHSA-2xvp-67rw-gc3p