CVE-2026-0043 - Vulnerability Details

Description

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Published: 2026-06-01

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in multiple functions of ubsan_throwing_runtime.cpp triggers an integer overflow, which can cause a persistent denial of service and elevate local privileges. The overflow can be exploited without granting additional execution privileges, allowing an attacker with local access to gain higher authority over the device. This kind of vulnerability undermines both the integrity and availability of the affected system.

Affected Systems

The vulnerability is reported for Google Android. Specific Android version details are not provided in the advisory, so all current releases may be susceptible until an official fix is released.

Risk and Exploitability

The exploit requires only local access and does not need user interaction, making it potentially easier to activate. With a CVSS score of 5.5, the vulnerability is considered medium severity. Although it is not listed in CISA’s KEV catalog, the possibility of local privilege escalation combined with denial of service indicates a significant risk to affected devices. Attackers could leverage the overflow to disrupt services or gain elevated control over the device without further privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Android

unaffected

Version	Status	Constraints
`16-qpr2`	affected	—
`16`	affected	—
`15`	affected	—
`14`	affected	—

No data.

Vendor Product Confidence Versions

Google

Android

100%

Version	Status	Scheme	Platform
`16-qpr2`	affected	generic	—
`16`	affected	generic	—
`15`	affected	generic	—
`14`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check Google Android security bulletin for the latest patch and update the device to the fixed version as soon as it becomes available. If an immediate update is not possible, consider disabling the uninitialized sanitizer (ubsan) via system configuration flags or limiting privileged system operations through device management. Document the vulnerability impact on device-specific applications to identify any custom components that may also be affected.
Coordinate with device OEMs to ensure that any custom modifications comply with security guidelines and do not reintroduce the vulnerability.
Apply device management controls to restrict local user privileges and limit the execution of privileged system services, thereby reducing the potential for local privilege escalation until a vendor patch is issued.

Generated by OpenCVE AI on June 2, 2026 at 02:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://source.android.com/docs/security/bulletin/2026/2026-06-01

History

Tue, 02 Jun 2026 02:45:00 +0000

Type	Values Removed	Values Added
Title	Integer Overflow in ubsan_throwing_runtime.cpp Leading to Local Privilege Escalation and Denial of Service

Tue, 02 Jun 2026 00:30:00 +0000

Type	Values Removed	Values Added
Title		Integer Overflow in ubsan_throwing_runtime.cpp Leading to Local Privilege Escalation and Denial of Service
Weaknesses		CWE-190
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android
Vendors & Products		Google Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References		https://source.android.com/docs/security/bulletin/2026/2026-06-01

Subscriptions

Google Android

MITRE

Status: PUBLISHED

Assigner: google_android

Published: 2026-06-01T21:14:51.989Z

Updated: 2026-06-01T23:36:16.851Z

Reserved: 2025-10-15T15:39:33.146Z

Link: CVE-2026-0043

Vulnrichment

Updated: 2026-06-01T23:36:06.234Z

NVD

Status : Received

Published: 2026-06-01T22:16:20.003

Modified: 2026-06-02T00:16:34.137

Link: CVE-2026-0043

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T02:30:16Z

Weaknesses

CWE-190

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object