MEDIUM 6.5

CVE-2026-0040: Android ubsan_throwing_runtime Integer Overflow DoS Vulnerability

CVE-2026-0040 is an integer overflow vulnerability in Google Android's ubsan_throwing_runtime.cpp file that allows an authenticated attacker to remotely crash the system. No special privileges or user interaction are required for exploitation, making this a straightforward denial-of-service attack vector. The flaw resides in multiple functions within a core runtime component, meaning the exposure is likely widespread across affected Android versions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-190
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from an integer overflow condition in ubsan_throwing_runtime.cpp, a component of Android's undefined behavior sanitizer runtime. Integer overflows occur when arithmetic operations produce values exceeding the maximum representable size for their data type, potentially wrapping to unexpected values. In this case, multiple functions fail to validate or prevent such overflows, allowing an authenticated network attacker to trigger the overflow and cause an abnormal termination of the affected process. The vulnerability is classified under CWE-190 (Integer Overflow or Wraparound).

Business impact

Organizations deploying affected Android devices face availability disruptions from repeated or sustained denial-of-service attacks. For enterprise Android deployments—including managed mobile devices, Android-based IoT systems, and enterprise applications running on Android—an attacker with valid credentials can disrupt service without needing to elevate privileges or manipulate users. This creates operational risk, particularly for organizations relying on Android for mission-critical or customer-facing systems. Reputational impact and support costs may follow if availability incidents occur.

Affected systems

Google Android is the confirmed affected vendor and product line. The vulnerability resides in ubsan_throwing_runtime.cpp, a foundational runtime component. Specific Android versions, patch levels, and device models are not detailed in the vulnerability record; organizations must cross-reference the official Google Android security bulletin and their device inventory to determine exact exposure.

Exploitability

This vulnerability has a CVSS 3.1 score of 6.5 (MEDIUM) with a network attack vector, low complexity, and requirement for prior authentication. The attacker does not need elevated privileges and no user interaction is required, lowering the barrier to exploitation. However, the need for valid credentials—even low-privileged ones—prevents unauthenticated remote exploitation. The vulnerability is not yet flagged for active exploitation in the wild (KEV status: not listed). Organizations should monitor for proof-of-concept releases and real-world attack reports as the vulnerability matures.

Remediation

Google will issue security patches addressing the integer overflow in ubsan_throwing_runtime.cpp. Patching is the primary mitigation. Organizations should obtain the latest Android security update for their devices and deploy it on a prioritized basis. Until patches are available, limit network access to Android devices and restrict the granting of valid credentials to trusted accounts only. Application-layer mitigations (e.g., rate limiting, network segmentation) may provide temporary defense depth but are not substitutes for patching.

Patch guidance

Monitor Google's official Android Security & Privacy Year in Review and monthly security bulletins for patch availability. Once patches are released, verify the specific Android version and security patch level applicable to your devices. Apply updates via OTA (over-the-air) updates on managed devices or through your mobile device management (MDM) platform. Test patches in a pre-production environment if critical services depend on specific Android versions. Document patch deployment across your device inventory to confirm coverage.

Detection guidance

Monitor system logs and crash reports for abnormal terminations or segmentation faults in processes linked to ubsan_throwing_runtime.cpp. Network-based detection is difficult without payload signatures; focus on behavioral indicators such as repeated failed process spawning or denial-of-service patterns from internal or external authenticated users. Enable enhanced logging on Android devices if supported by your MDM solution. Security event aggregation (SIEM) can help correlate crashes with network activity to identify exploitation attempts.

Why prioritize this

Although the CVSS score is MEDIUM (6.5), this vulnerability warrants timely attention because it requires only authentication (not privilege escalation) and no user interaction for exploitation. The denial-of-service impact can degrade service availability for dependent systems and users. It is not yet in active exploitation, providing a window to patch before adversaries weaponize it. Prioritize patching for Android devices that are exposed to untrusted or semi-trusted networks or that support critical business functions.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects a MEDIUM severity rating driven by: (1) Network attack vector (AV:N) allowing remote exploitation; (2) Low attack complexity (AC:L) with no special conditions required; (3) Low privilege requirement (PR:L) for a valid authenticated user; (4) No user interaction (UI:N); (5) High availability impact (A:H) from the denial-of-service effect. The absence of confidentiality and integrity impact (C:N/I:N) moderates the score. The requirement for prior authentication prevents a higher severity rating.

Frequently asked questions

Do I need to be an administrator to exploit this vulnerability?

No. The vulnerability requires only valid user credentials; no elevated privileges (administrator or system) are necessary. Any authenticated user can potentially trigger the integer overflow and cause a denial of service.

Can this vulnerability be exploited without network access?

The attack vector is network-based, meaning the attacker must reach the vulnerable component over a network. Local exploitation (e.g., from an app running on the same device) may be possible but is not the primary attack scenario described.

Is there a workaround if I cannot patch immediately?

Complete workarounds are limited. Reduce exposure by restricting which accounts are granted login credentials, disabling network services that expose ubsan_throwing_runtime.cpp if feasible, and implementing network-level access controls. However, these are temporary measures; patching is the definitive fix.

Will this vulnerability affect my Android app if it runs on affected devices?

Your app itself is likely not the source of the vulnerability. The flaw is in Android's runtime library, not in third-party applications. However, if a malicious or compromised process on the device exploits the vulnerability, it could cause system instability affecting all running apps.

This analysis is based on the CVE record published 2026-06-01 and modified 2026-06-17. Specific Android versions and patch levels are not detailed in the source data; refer to Google's official Android security bulletins for affected product versions and patch availability. Exploit code and weaponized proof-of-concept techniques are not provided in this document. Organizations should validate patch applicability and test thoroughly in non-production environments before deployment. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor advisories referenced externally. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).