MEDIUM 5.5

CVE-2026-0042: Android UBSan Resource Exhaustion Denial of Service

CVE-2026-0042 is a resource exhaustion vulnerability in Google Android's UBSan runtime component that allows a local attacker to cause a persistent denial of service. An attacker with basic user-level access can trigger the flaw without user interaction, exhausting system resources and rendering the device unavailable. The vulnerability does not enable unauthorized access or data theft—only availability disruption.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in multiple functions within ubsan_throwing_runtime.cpp, a component of Android's Undefined Behavior Sanitizer (UBSan) runtime. The flaw permits resource exhaustion through uncontrolled allocation or consumption of system resources. CWE-400 (Uncontrolled Resource Consumption) classifies the issue. An attacker with local access and standard user privileges can repeatedly trigger the affected code path to exhaust memory, CPU, or other critical system resources, leading to persistent denial of service conditions. No special execution context or additional privileges are required, and exploitation does not depend on user interaction.

Business impact

Affected Android devices become unresponsive or unstable, impacting business continuity for organizations relying on Android-based enterprise devices, kiosks, IoT endpoints, or BYOD fleets. A compromised device cannot be reliably used for work tasks or communications until rebooted or the resource-exhausting process is terminated. For critical deployments—manufacturing floors, retail systems, emergency services—even intermittent availability loss poses operational risk. Recovery typically requires manual intervention or device reboot, increasing IT support burden.

Affected systems

Google Android across multiple versions is affected. The vulnerability resides in the UBSan runtime, a compiler-integrated component present in standard Android builds. All devices running affected Android versions with ubsan_throwing_runtime.cpp are potentially vulnerable, including smartphones, tablets, and Android-based IoT or embedded systems. Confirm specific affected Android versions and build numbers through Google's official security advisory.

Exploitability

Exploitability is straightforward for local attackers. The vulnerability requires only local access (physical presence or prior compromise) and standard user privileges—no privilege escalation or sophisticated techniques are needed. No user interaction is required; the attack can run silently in the background. The lack of additional execution requirements and the uncontrolled resource consumption pattern suggest the flaw is relatively easy to weaponize once an attacker gains local presence on a device.

Remediation

Apply security patches from Google addressing CVE-2026-0042. Patches will harden the ubsan_throwing_runtime.cpp functions to properly limit resource consumption and prevent exhaustion attacks. Deploy updates to all affected Android devices via over-the-air (OTA) updates, enterprise deployment tools, or manual firmware updates as your environment supports. Until patching is complete, restrict local access to high-risk devices and monitor for signs of resource exhaustion (unexpected CPU spikes, memory pressure, device freezes).

Patch guidance

Monitor Google's security bulletins and Android security advisories for patch availability and affected version details. When patches are released, prioritize deployment to devices in high-availability environments (kiosks, corporate deployments, IoT infrastructure) before rolling out to general consumer devices. Test patches in a controlled environment first to ensure compatibility with your device models and configurations. Deploy via your organization's standard Android update channels (OTA, MDM, or manual updates) and verify successful application across your fleet.

Detection guidance

Monitor for unusual resource consumption patterns on Android devices—sustained high CPU usage, memory exhaustion, or unexpected process crashes from ubsan_throwing_runtime or related runtime components. Correlate these signals with process logs or kernel messages indicating resource limits exceeded. On enterprise deployments with MDM, track device stability metrics and reboot frequencies for spikes. Note that exploitation may appear as generic resource starvation rather than a specific named attack; focus on devices showing resource pressure without corresponding user application activity.

Why prioritize this

Despite a MEDIUM CVSS score (5.5), prioritize patching based on device criticality and deployment context. Devices in continuous-operation environments (kiosks, infrastructure, emergency systems) face higher operational impact from denial of service. Devices with elevated local access risk (corporate BYOD, public-facing kiosks) warrant faster remediation. While not an active KEV entry and not exploited at scale in the wild, the low barrier to local exploitation and high availability impact justify prompt patch deployment for critical systems.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects the local attack vector, low privilege requirement, and high availability impact with no confidentiality or integrity breach. The score appropriately captures that this is not a critical remote vulnerability but a local resource exhaustion issue. Business risk may exceed the numeric CVSS in specialized contexts: a manufacturing floor's automated robotic system running Android, a retail point-of-sale device, or critical IoT infrastructure would face disproportionate disruption from even brief unavailability, warranting expedited patching beyond the baseline MEDIUM severity.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-0042 requires local access to the device. An attacker must already have logical access to the Android device (physical proximity, prior compromise, or legitimate account) to trigger the resource exhaustion. Remote exploitation is not possible.

Does this vulnerability expose my data or allow unauthorized access?

No. This is a denial-of-service vulnerability only. It does not enable data theft, unauthorized access, or privilege escalation. The attacker's goal is to make the device unavailable, not to compromise confidentiality or integrity.

What should I do if I can't patch immediately?

Until patches are available and deployed, restrict local access to affected devices, monitor for resource exhaustion symptoms (device freezes, unexpected restarts), and consider disabling non-essential features or services on high-risk devices. If possible, isolate critical systems until patches are applied.

Is this vulnerability currently being exploited in the wild?

CVE-2026-0042 is not currently tracked as an actively exploited vulnerability (no KEV entry). However, the low barrier to local exploitation means it could be weaponized if an attacker already has device access. Prioritize patching devices with higher local access risk or operational criticality.

This analysis is based on published vulnerability data as of the modification date (2026-06-17). Specific affected Android versions, patch availability, and remediation timelines should be verified against Google's official Android Security & Privacy Year in Review, Google Play System Updates, or the National Vulnerability Database (NVD). SEC.co provides this guidance for informational purposes; organizations must conduct their own risk assessment and testing before deploying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).