CVE-2026-0044: Android Integer Overflow Denial of Service Vulnerability
CVE-2026-0044 is an integer overflow vulnerability in Android's ubsan_throwing_runtime.cpp that allows an authenticated attacker to crash the system remotely. The flaw requires valid credentials to exploit but no user interaction, making it a straightforward denial-of-service vector that can disrupt device availability without requiring the attacker to execute code or escalate privileges.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-190
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause the system to crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from improper integer overflow handling in multiple functions within ubsan_throwing_runtime.cpp, a component of Android's undefined behavior sanitizer runtime. An authenticated attacker can trigger an integer overflow condition that causes the runtime to crash, resulting in a denial of service. The attack surface is network-accessible, the attack complexity is low, and no special privileges beyond authentication are required. The flaw is classified under CWE-190 (Integer Overflow or Wraparound).
Business impact
A successful exploitation of this vulnerability could render Android devices unresponsive or force them into a crash state, disrupting critical business operations for organizations relying on Android infrastructure or mobile workforces. While this does not compromise data confidentiality or integrity, sustained availability attacks could impact productivity, customer-facing services, or IoT deployments running affected Android versions. Organizations should evaluate their exposure based on deployment patterns and the sensitivity of affected systems.
Affected systems
The vulnerability affects multiple versions of Google Android. Organizations running affected Android releases should verify their deployed versions against Google's security advisory to determine scope. This includes both consumer devices and enterprise deployments where Android is used in managed environments, IoT devices, or embedded systems.
Exploitability
Exploitation requires valid authentication credentials but no user interaction, making the attack practical for insiders or attackers who have obtained legitimate credentials. The CVSS vector indicates network accessibility and low attack complexity, meaning an attacker can trigger the crash remotely over the network once authenticated. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date, suggesting active exploitation in the wild has not been confirmed at scale, though this does not eliminate operational risk.
Remediation
Apply security patches provided by Google for affected Android versions as soon as testing confirms compatibility with your environment. Patch releases address the integer overflow by implementing proper bounds checking and overflow detection in ubsan_throwing_runtime.cpp. Validate patch availability through Google's official security bulletin and your device manufacturer's advisory to confirm version numbers and deployment timelines specific to your hardware and Android variant.
Patch guidance
Consult Google's Android Security & Privacy Year in Review and the specific security bulletin for CVE-2026-0044 to identify the patched Android version applicable to your devices. Test patches in a controlled environment before broad deployment to ensure stability and compatibility with your applications and configurations. Device manufacturers may release patches on different timelines; check your OEM's security update schedule. For enterprise environments, coordinate patch deployment with your mobile device management (MDM) or device administration platform to minimize disruption.
Detection guidance
Monitor for abnormal Android runtime crashes or repeated system resets that correlate with unusual authentication patterns or network activity from internal endpoints. Log authentication events to ubsan-related services or components if accessible through your monitoring infrastructure. System administrators should review SELinux audit logs and system event logs for repeated sanitizer runtime failures. Endpoint detection and response (EDR) platforms with Android support can help identify behavioral anomalies consistent with repeated denial-of-service attempts. Network-based detection is limited since the attack triggers an internal integer overflow; focus on behavioral signals and crash analytics.
Why prioritize this
Although rated CVSS 6.5 (MEDIUM), this vulnerability merits prioritization because it requires only authentication—not privilege escalation or complex attack chains—and the attack surface is network-accessible. For organizations with high-security Android deployments (banking, critical infrastructure, sensitive data handling), the combination of low barrier to entry and denial-of-service capability justifies prompt attention. Prioritize assets running user-facing or mission-critical Android services, then expand to general estate coverage.
Risk score, explained
The CVSS 6.5 score reflects a network-accessible denial-of-service flaw requiring authentication (PR:L). The score does not incorporate threat likelihood or organizational context; your internal risk assessment should factor in credential hygiene, internal network segmentation, the number of affected devices, and business tolerance for temporary unavailability. If your environment has weak authentication controls or widespread Android deployment, the operational risk may exceed the base CVSS score.
Frequently asked questions
Do I need to patch immediately if this vulnerability is not on CISA's KEV list?
KEV status indicates known active exploitation; absence from the list does not mean the flaw is low-risk or unpatched in the wild. Authenticated denial-of-service flaws can be exploited by insiders or credential-compromised accounts without widespread public tooling. Patch according to your change management process, prioritizing high-value or exposed Android systems.
Can this vulnerability be exploited from the internet, or only from internal networks?
The vulnerability is network-accessible (AV:N in CVSS), meaning it can be reached over the network. However, it requires valid authentication (PR:L), so the attacker must possess or obtain legitimate credentials. This limits the attack to authenticated users or attackers who have compromised valid accounts.
Will this vulnerability compromise my data if exploited?
No. The vulnerability causes denial of service only (A:H in CVSS) and does not result in confidentiality or integrity impact. Exploitation crashes the system or component but does not leak data or modify files. Recovery typically involves restarting the affected service or device.
How do I know if my Android devices are affected?
Check your device's Android Security Patch Level in Settings > About Phone and cross-reference it against Google's security bulletin for CVE-2026-0044. Your device manufacturer may also provide a specific advisory. If your patch level predates the fix, your device is likely affected; apply the available update or contact your OEM for guidance.
This analysis is based on publicly available information as of the publication date and does not constitute legal or professional security advice. Verify all patch versions, affected product lists, and remediation guidance against official vendor advisories from Google and your device manufacturer. The absence of a vulnerability from CISA's KEV catalog does not guarantee lack of exploitation risk. Organizations should conduct their own risk assessment considering their environment, threat model, and regulatory obligations. SEC.co does not warrant the accuracy or completeness of this information and disclaims liability for damages resulting from reliance on this content. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0039MEDIUMAndroid Integer Overflow Denial of Service Vulnerability
- CVE-2026-0040MEDIUMAndroid ubsan_throwing_runtime Integer Overflow DoS Vulnerability
- CVE-2026-0041MEDIUMAndroid UBSan Integer Overflow Remote Denial of Service
- CVE-2026-0043MEDIUMAndroid UBSan Integer Overflow Local Privilege Escalation
- CVE-2026-0052MEDIUMAndroid Integer Overflow Remote Denial of Service Vulnerability
- CVE-2026-0079MEDIUMAndroid Integer Overflow DoS in ubsan_throwing_runtime
- CVE-2026-0080MEDIUMAndroid Integer Overflow Remote Denial of Service
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure