CVE-2026-0041: Android UBSan Integer Overflow Remote Denial of Service
An integer overflow vulnerability exists in Google Android's UBSan (Undefined Behavior Sanitizer) runtime code. When triggered, the overflow causes the sanitizer itself to fail rather than safely handling undefined behavior, resulting in application crashes or service disruption. An authenticated attacker can remotely exploit this without user interaction, making it a network-reachable denial-of-service vector.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-190
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible UBSan failure due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-0041 is an integer overflow vulnerability (CWE-190) in multiple functions within ubsan_throwing_runtime.cpp in Android. The UBSan runtime is designed to detect and report undefined behavior, but integer overflow in its own code prevents it from functioning correctly. An attacker with login privileges can send crafted input that causes integer wrapping in vulnerable code paths, triggering a sanitizer failure that crashes the affected process. The vulnerability requires network access and authenticated privileges but no user interaction.
Business impact
This vulnerability enables authenticated denial-of-service attacks against Android-based infrastructure and services. Attackers with valid credentials can crash critical applications or system components by triggering the integer overflow, leading to service unavailability. For organizations running Android in enterprise, IoT, or embedded contexts, successful exploitation could disrupt operations without requiring device compromise or persistent access.
Affected systems
Google Android is confirmed affected across multiple versions. Verification of exact version ranges and device models requires checking the vendor advisory. Organizations should audit inventory for Android deployments that accept authenticated network connections.
Exploitability
The attack is straightforward to execute: only network access and valid login credentials are needed. No special privileges, code execution, or user interaction is required. The CVSS score of 6.5 (Medium) reflects that while the impact is severe, the requirement for authentication and the limitation to denial of service prevent a higher rating. However, the low barrier to exploitation combined with no defensive user action makes this practical to weaponize if credentials are available.
Remediation
Apply security patches from Google as they become available through Android Security & Maintenance Releases. Verify patch eligibility for your specific Android version and device model against the vendor advisory. Organizations unable to patch immediately should implement network-level access controls to restrict authenticated connections to Android systems only from trusted sources.
Patch guidance
Consult Google's official Android Security & Maintenance Releases bulletin and device-specific security updates. Patch availability and version numbers vary by manufacturer and device. Test patches in a non-production environment before full rollout to ensure compatibility. For long-term support branches, patches may be delivered on extended timelines.
Detection guidance
Monitor for unexpected application crashes or service restarts triggered by UBSan failures. Look for error logs or crash dumps mentioning ubsan_throwing_runtime.cpp. Implement alerting on authentication attempts from unusual IP addresses or patterns that could precede exploitation attempts. Network-based detection is difficult; focus on application-level monitoring and log analysis for UBSan-related failures.
Why prioritize this
Although rated Medium severity, this vulnerability merits swift attention because (1) authentication barriers are lower than privilege escalation requirements, (2) the exploitation pathway is straightforward, (3) denial of service can disrupt business continuity, and (4) Android's ubiquity in enterprise IoT means many organizations likely have exposure. Prioritize patching for Internet-facing Android systems and those handling sensitive workflows.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects: network accessibility (AV:N), low attack complexity (AC:L), requirement for authenticated privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), and high availability impact (A:H). The authentication requirement prevents a critical rating despite the denial-of-service impact.
Frequently asked questions
Does this vulnerability allow remote code execution?
No. The integer overflow causes the UBSan sanitizer to fail and crash, resulting in denial of service. It does not enable code execution or persistent compromise.
Who can exploit this vulnerability?
Any user or service with valid authentication credentials for the affected Android system. This includes internal users, authorized API consumers, and anyone with compromised credentials.
Is this vulnerability actively exploited in the wild?
This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed public exploitation at this time. However, low exploitation complexity means real-world attacks may occur once patches are available for comparison.
What Android versions are affected?
The vendor advisory specifies affected versions. Contact Google support or check your device manufacturer's security bulletin for exact version ranges, as patch timelines vary significantly by device and manufacturer.
This analysis is based on available vulnerability data as of the publication date. Patch version numbers, affected device models, and availability timelines should be verified against official Google Android Security & Maintenance Releases and your device manufacturer's advisory. Exploitation feasibility and impact vary by specific Android version and deployment context. This information is provided for educational and remediation planning purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0039MEDIUMAndroid Integer Overflow Denial of Service Vulnerability
- CVE-2026-0040MEDIUMAndroid ubsan_throwing_runtime Integer Overflow DoS Vulnerability
- CVE-2026-0043MEDIUMAndroid UBSan Integer Overflow Local Privilege Escalation
- CVE-2026-0044MEDIUMAndroid Integer Overflow Denial of Service Vulnerability
- CVE-2026-0052MEDIUMAndroid Integer Overflow Remote Denial of Service Vulnerability
- CVE-2026-0079MEDIUMAndroid Integer Overflow DoS in ubsan_throwing_runtime
- CVE-2026-0080MEDIUMAndroid Integer Overflow Remote Denial of Service
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure