MEDIUM 6.5

CVE-2026-0051: Android UBSan Runtime Denial of Service Vulnerability

A vulnerability in Google Android's UBSan (Undefined Behavior Sanitizer) runtime component allows an authenticated attacker to crash the system by sending malformed input to multiple functions in ubsan_throwing_runtime.cpp. The vulnerability requires valid credentials to exploit but no special privileges, and the attacker doesn't need to interact with the device user. The impact is denial of service—the system becomes unavailable—but data confidentiality and integrity are not compromised.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-20
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-0051 is an input validation flaw (CWE-20) affecting the ubsan_throwing_runtime.cpp module across multiple Android versions. The vulnerability resides in the UBSan runtime, which instruments code to detect undefined behavior at runtime. Improper validation of crafted input to several functions permits an authenticated remote attacker to trigger an unhandled exception or crash, resulting in denial of service. The attack vector is network-based, access complexity is low, and no user interaction is required, making it trivial to trigger once authenticated.

Business impact

For organizations running Android infrastructure or relying on Android devices for critical workflows, this vulnerability creates availability risk. Authenticated accounts—whether compromised or malicious insiders—can remotely crash Android systems without warning. For device manufacturers and Android platform operators, this represents a service resilience issue; for enterprise deployments, it threatens uptime for applications and systems dependent on affected Android versions. The low barrier to exploitation (authentication only, no UI interaction) amplifies the operational risk.

Affected systems

Multiple versions of Google Android are affected. The source data identifies six references to 'google android' without specifying exact version ranges; consult the official Android Security & Privacy Year in Review and Google's Security Bulletins to identify your specific Android version(s) and determine applicability. Devices running vulnerable builds are at risk if they expose network-facing services or APIs callable by authenticated users.

Exploitability

This vulnerability has a moderate-to-low barrier to exploitation. An attacker must possess valid credentials (authentication is required per the CVSS vector), but once authenticated, no additional privileges, complex attack chains, or user interaction are needed. The network-accessible nature of the vulnerability and the simplicity of triggering it via malformed input make it exploitable by low-skill actors with valid accounts. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog as of the latest update, suggesting limited public weaponization to date, but that status may change.

Remediation

Apply the latest Android security patch released by Google. Verify the specific patch version for your Android build by consulting Google's monthly security bulletins and cross-referencing your device model and version. In parallel, consider network segmentation to limit which authenticated users can reach affected Android services, and monitor authentication logs for suspicious account activity. If immediate patching is delayed, restrict authentication privileges to reduce the attack surface.

Patch guidance

Monitor Google's Android Security & Privacy Bulletin for the specific patch version addressing CVE-2026-0051 for your Android build. Patches are typically released monthly; apply them as soon as feasible. Test patches in a non-production environment first to ensure compatibility with dependent applications. For enterprise deployments, coordinate patch rollout with your device management and application teams to minimize disruption. Verify patch application by checking the Android Security Patch Level in device settings and confirming it is dated on or after the bulletin's patch release date.

Detection guidance

Monitor for abnormal process termination or system crashes originating from the ubsan_throwing_runtime component or UBSan instrumentation. Implement logging on authentication endpoints to identify which accounts are accessing Android services and from which origins. Correlate authentication logs with crash dumps or system event logs to detect exploitation attempts. In high-security environments, consider runtime monitoring tools that detect anomalous memory access or exception patterns. Be alert for repeated crashes following authentication by the same account, which may indicate active exploitation.

Why prioritize this

While the CVSS score of 6.5 (MEDIUM) reflects the authentication requirement and lack of confidentiality or integrity impact, the ease of exploitation, low attack complexity, and high availability impact warrant prompt attention. Authenticated denial of service vulnerabilities are operationally disruptive and are often exploited by insiders or attackers with compromised credentials. The lack of KEV designation suggests this is not yet a widespread active threat, providing a window to patch proactively before public tools emerge.

Risk score, explained

The CVSS 3.1 score of 6.5 (MEDIUM) is driven by: network accessibility and low attack complexity (favoring higher score); requirement for prior authentication (limiting scope); and high availability impact (denial of service causes system unavailability). The attack vector being network-based and the lack of required user interaction offset the authentication requirement. The absence of confidentiality and integrity impact prevents a higher score, but organizations should not underweight availability—production systems dependent on Android deserve urgent attention.

Frequently asked questions

Do I need to be unauthenticated to trigger this vulnerability?

No. The vulnerability requires valid authentication credentials. An attacker cannot exploit it anonymously. However, once authenticated, no additional privileges or user interaction are needed, making it dangerous if credentials are compromised or misused by insiders.

What Android versions are affected?

The source data references multiple Google Android versions without specifying exact build numbers. Consult Google's official Android Security & Privacy Bulletin and your device manufacturer's security advisories to determine which Android versions you run and whether they are vulnerable. This is critical for prioritization.

Can this vulnerability be exploited from the internet?

Yes. The vulnerability is network-accessible (CVSS vector AV:N), meaning an authenticated attacker can exploit it remotely without physical access to the device. The attack does not require user interaction—the attacker simply sends malformed input to trigger the crash.

Is this vulnerability actively being exploited in the wild?

As of the latest available data, this vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog, suggesting limited or no active public weaponization. However, the simplicity of exploitation means public tools could emerge quickly once patches are released. Proactive patching is strongly recommended rather than waiting for evidence of active attacks.

This analysis is based on information available as of the CVE publication and modification dates. Patch versions, affected build numbers, and remediation timelines must be verified against official Google Android Security Bulletins and your device manufacturer's advisories. SEC.co makes no warranty regarding the completeness or timeliness of this information. For production systems, conduct your own risk assessment and testing before applying patches or making configuration changes. This explainer does not constitute security advice specific to your organization; engage qualified security professionals for guidance tailored to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).