Description
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow can occur in several UBSan runtime functions when handling input data, causing the program to crash. The crash can be triggered remotely without the need for elevated privileges or user interaction, resulting in a denial‑of‑service condition that affects the entire Android system. The flaw is a classic Integer Overflow or Wraparound (CWE‑190) vulnerability.

Affected Systems

The vulnerability impacts devices that run Google’s Android operating system. Specific affected versions are not listed; therefore, any build that includes the UBSan runtime code referenced in the description may be vulnerable until a patch is applied.

Risk and Exploitability

Because the defect leads only to a crash and does not allow code execution or data exfiltration, the immediate risk is a denial‑of‑service. The CVSS score of 6.5 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not yet in the CISA KEV catalog, indicating no publicly known exploits. An attacker can send crafted input over a network or service that processes untrusted data, overflowing an integer in UBSan handlers and forcing the device to reboot or stop functioning. The attack does not require privileged access or user interaction, so it can be launched against any exposed component.

Generated by OpenCVE AI on June 2, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Android security update that addresses the UBSan integer overflow defect.
  • Configure devices to automatically download and install security updates to ensure the fix is applied as soon as it is released.
  • Monitor system crash logs for UBSan‑related failures to detect potential exploitation attempts.

Generated by OpenCVE AI on June 2, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Integer Overflow in UBSan Runtime Causes Remote Denial of Service in Android

Tue, 02 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Integer Overflow in UBSan Runtime Causes Remote Denial of Service in Android
Weaknesses CWE-190

Mon, 01 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-01T23:39:12.870Z

Reserved: 2025-10-15T15:39:28.295Z

Link: CVE-2026-0040

cve-icon Vulnrichment

Updated: 2026-06-01T23:38:10.998Z

cve-icon NVD

Status : Received

Published: 2026-06-01T22:16:19.713

Modified: 2026-06-02T00:16:33.720

Link: CVE-2026-0040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T02:00:14Z

Weaknesses