MEDIUM 5.5

CVE-2026-0043: Android UBSan Integer Overflow Local Privilege Escalation

CVE-2026-0043 is a medium-severity integer overflow vulnerability in Android's UBSan runtime library that can cause a persistent denial of service and local privilege escalation. The flaw resides in multiple functions within ubsan_throwing_runtime.cpp and requires only local access to exploit—no special privileges or user interaction are needed. Once triggered, the integer overflow can exhaust system resources or corrupt memory state, denying service to the affected device or enabling an attacker to elevate their privileges locally.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-190
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper integer arithmetic in ubsan_throwing_runtime.cpp, where CWE-190 (Integer Overflow or Wraparound) conditions are not adequately sanitized. The UBSan (Undefined Behavior Sanitizer) runtime is responsible for detecting and handling undefined integer operations during program execution. When crafted input triggers an integer overflow across multiple vulnerable functions, the sanitizer's own error-handling logic can be exploited to cause persistent denial of service. The lack of bounds checking before arithmetic operations allows a local attacker to manipulate integer calculations, leading to resource exhaustion or memory corruption that facilitates privilege escalation.

Business impact

This vulnerability poses a localized but persistent threat to Android device availability and security. Affected users face degraded device performance, application crashes, or complete service interruption once the integer overflow is triggered. Because privilege escalation is possible without requiring elevated permissions, an unprivileged local account or compromised app could weaponize this flaw to gain system-level access, potentially enabling data exfiltration, persistence mechanisms, or further lateral movement within the device. Organizations managing fleets of Android devices should anticipate potential support costs and user disruption during remediation cycles.

Affected systems

Google Android is affected. The vulnerability exists in ubsan_throwing_runtime.cpp, which is part of the Android runtime environment. All Android versions running vulnerable builds of this component are potentially at risk. Consult Google's official advisory and your device manufacturer's security updates for specific version ranges and affected device models.

Exploitability

Exploitability is straightforward from a technical standpoint. The attack requires only local filesystem or process access—no network interaction, no special privileges, and no user action needed. An attacker with a local foothold (such as through a compromised app or existing shell access) can craft input that triggers the integer overflow synchronously. The low complexity and absence of exploitation barriers (no authentication, user interaction, or privilege requirement at attack time) make this a practical threat in multi-tenant or shared-device scenarios. However, it is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been formally documented at this time.

Remediation

Remediation requires applying Google's official security patch to the UBSan runtime. The fix likely adds integer overflow guards, bounds checking, or sanitizer improvements to prevent wraparound conditions in the vulnerable functions. End users should enable automatic system updates and check for monthly or emergency security patches from their device manufacturer. IT teams managing Android devices should coordinate with device manufacturers or Google to obtain and stage patches, then roll them out according to their device management policies.

Patch guidance

Monitor Google's official Android security advisories for patch version numbers and release dates. Verify the specific build fingerprint or security patch level required for your device. Patches are typically delivered through Google Play System Updates or manufacturer OTA (over-the-air) mechanisms. Test patches in a controlled environment before broad deployment. Prioritize devices with the most direct user exposure or sensitive data access.

Detection guidance

Monitor system logs for repeated UBSan runtime exceptions or integer overflow errors in ubsan_throwing_runtime.cpp stack traces. Anomalous process terminations, elevated CPU usage patterns, or application crashes tied to integer arithmetic operations may indicate exploitation attempts. Mobile device management (MDM) solutions should audit device security patch levels and flag any systems running vulnerable builds. Behavioral monitoring for privilege escalation events (process capability changes, SELinux policy violations) can detect post-exploitation activity.

Why prioritize this

Although scored as MEDIUM severity with a CVSS of 5.5, this vulnerability warrants prioritization due to its no-barrier exploitation path and privilege escalation potential. Local access + no privileges required + high availability impact creates a realistic threat in environments where users install untrusted apps or share devices. The persistent DoS capability means a single successful exploitation can render a device unusable until manual intervention occurs. Organizations with high device density or mission-critical Android deployments should prioritize this over higher-CVSS network-based flaws that require more exploitation complexity.

Risk score, explained

The CVSS:3.1 score of 5.5 (MEDIUM) reflects the local-only attack surface (AV:L), low complexity (AC:L), required low privilege (PR:L), and no user interaction (UI:N). The vector appropriately elevates the score due to the high impact on availability (A:H)—persistent DoS and resource exhaustion—while noting no direct confidentiality or integrity impact (C:N, I:N). However, the privilege escalation pathway, although implicit in the description, is factored into the severity assessment. Organizations should not be misled by the MEDIUM label; this is a realistic, low-effort local attack vector that affects device trustworthiness and availability.

Frequently asked questions

Do I need to take action immediately?

If you manage Android devices, check your device inventory against Google's advisory to identify affected models and versions. Coordinate with your device manufacturer to obtain patches and plan a staged rollout. Even though this is not yet on CISA's KEV list, the low exploitation barrier means you should treat it as routine-to-urgent depending on your threat model and device sensitivity.

Can this vulnerability be exploited remotely?

No. The attack vector is strictly local (AV:L). An attacker must have local code execution or file system access on the device first. This rules out direct network-based attacks but does not eliminate risk for environments where users install apps from untrusted sources or where multiple accounts share a device.

Will my device automatically update with a fix?

Many modern Android devices receive security updates through Google Play System Updates or automatic manufacturer OTA delivery. However, patches depend on device age, manufacturer support timelines, and your update settings. Check your device's security patch level regularly and ensure automatic updates are enabled. Legacy devices may not receive patches and should be deprioritized for handling sensitive data.

What is the difference between DoS and privilege escalation in this CVE?

The integer overflow can manifest in two ways: first, as a persistent denial of service (exhausted memory, repeated crashes, device lag), and second, as a pathway to privilege escalation (corrupted state allowing unprivileged code to escalate). Both outcomes stem from the same root cause—unchecked integer arithmetic—but the post-exploitation impact varies based on how an attacker chooses to leverage the flaw.

This analysis is based on data published as of 2026-06-17 and the provided CVE description. Patch version numbers, affected device models, and timeline details must be verified against Google's official Android security advisory and your device manufacturer's release notes. This explainer is for informational purposes and does not constitute legal, compliance, or specific technical guidance. Organizations should conduct their own risk assessments and testing before deploying patches. No exploit code or proof-of-concept details are provided. SEC.co assumes no liability for actions taken based on this intelligence. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).