The vulnerability is an integer overflow in multiple functions within the file ubsan_throwing_runtime.cpp that can cause a persistent denial of service. It requires no additional privileges and does not need user interaction, so an attacker could trigger it from a remote source by supplying crafted input that overflows internal counters or memory sizes, potentially crashing the process or causing the device to become unresponsive and impacting availability. Based on the description, it is inferred that the attack vector is remote network-based.

The affected vendor is Google Android. The specific Android releases that contain the vulnerable code are not listed in the data provided, so administrators must verify whether their devices run versions that include this code; a vendor security bulletin should list the affected builds once a patch is released. It is inferred that any build incorporating the vulnerable ubsan_throwing_runtime.cpp code could be affected.

The CVSS score is 6.5, and the EPSS score is not provided, but the description indicates that exploitation can occur remotely without user interaction, which typically signals a high likelihood of successful attacks once an attacker has network access to the device. Given the lack of EPSS data, it is inferred that the precise likelihood of exploitation is uncertain, although the remote nature suggests a non‑negligible risk. The vulnerability is not listed in CISA’s KEV catalog, meaning no publicly known widespread exploitation has been reported. The primary risk is to availability, allowing attackers to disrupt device operation.