Skip to main content

Google Android EUVDEUVD-2026-33795

| CVE-2026-0079 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-01 google_android GHSA-2xvp-67rw-gc3p
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:32 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.5

DescriptionCVE.org

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to an integer overflow. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Integer overflow in Android's UBSan throwing runtime (ubsan_throwing_runtime.cpp) enables a local attacker with low privileges to cause a persistent denial of service across Android 14 through Android 16 QPR2. The flaw affects multiple functions within the file and requires no user interaction to trigger, making it exploitable by a malicious on-device application without elevated privileges. No public exploit identified at time of analysis, and the local-only attack vector constrains real-world scope, but the persistent nature of the availability impact elevates operational concern over transient crash-based DoS.

Technical ContextAI

The vulnerability resides in ubsan_throwing_runtime.cpp, which is part of Android's UBSan (Undefined Behavior Sanitizer) throwing runtime library - a compiler-instrumented component responsible for raising exceptions when undefined behavior is detected at runtime. CWE-190 (Integer Overflow or Wraparound) identifies the root cause: one or more arithmetic operations in multiple functions of this file can exceed the maximum representable value of the integer type, causing a silent wraparound to an unintended value. This corrupted value is then used in a way that triggers a persistent denial of service, meaning the disruption is not self-resolving on process restart. CPE data (cpe:2.3:a:google:android:*:*:*:*:*:*:*:*) confirms the affected component is within Google's Android platform itself, spanning versions 14 through 16 QPR2 per EUVD-2026-33795.

RemediationAI

Apply the patches released in the June 2026 Android Security Bulletin available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. The exact patched build version is not independently confirmed in the available input data beyond the bulletin reference - consult the bulletin directly for patch levels. OEM and carrier deployments of Android 14 through 16 QPR2 should monitor their respective vendor security update channels, as patch delivery timelines vary. As a compensating control where patching is delayed, restricting sideloaded or untrusted application installation (via managed device policy) reduces the attack surface by limiting which low-privilege processes can trigger the vulnerable code path. This mitigation does not eliminate risk from legitimate low-privilege apps already present on the device.

Share

EUVD-2026-33795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy