CVE-2026-0067: Android ubsan_throwing_runtime Local Denial of Service
A logic error in Android's ubsan_throwing_runtime.cpp file can be exploited by a local attacker to permanently deny service to affected devices. The vulnerability requires only basic user-level permissions and no special interaction to trigger, making it a straightforward availability threat for any Android user or administrator managing affected deployments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a permanent denial of service due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-0067 stems from flawed logic in multiple functions within ubsan_throwing_runtime.cpp, a component of Android's undefined behavior sanitizer runtime. The vulnerability allows a local, unprivileged process to cause a permanent denial of service condition. The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates low attack complexity, local-only attack surface, and no user interaction required, with impact limited to availability. No escalation of privilege is necessary for exploitation.
Business impact
A successful exploit results in permanent denial of service on affected Android devices. For enterprises deploying Android in managed environments—whether corporate-owned devices, IoT infrastructure, or specialized mobile deployments—this vulnerability can render devices unresponsive or unusable until remediation. The lack of privilege escalation requirements means standard users can trigger the condition, widening the attack surface in multi-user or BYOD scenarios. Recovery typically requires device restart or full remediation, increasing operational overhead.
Affected systems
Google Android is affected. The source data lists multiple Android product entries but does not specify version ranges or build levels. Security teams must consult the official Google Android Security & Privacy Year in Review or relevant vendor advisories to identify which Android versions and patch levels are vulnerable. Cross-reference your deployed Android versions against those advisories to determine exposure.
Exploitability
Exploitability is relatively straightforward. The vulnerability requires only local access and standard user privileges (PR:L), with no complex attack chain or user interaction (UI:N). Any local process or authenticated user on the device can trigger the denial of service. The low attack complexity (AC:L) indicates the flaw is easily reproducible. However, without public exploit code or active in-the-wild campaigns being tracked in the KEV catalog, opportunistic exploitation may be less common than deliberate or targeted attacks.
Remediation
Apply security patches released by Google for Android. Since the source data does not specify patch version numbers, consult the official Google Android Security & Privacy advisory corresponding to the June 2026 release cycle, or your device manufacturer's security bulletin. Patches are typically delivered via system updates; enterprises should enforce timely deployment through mobile device management (MDM) policies. No workarounds exist for this logic error; patching is the only reliable mitigation.
Patch guidance
Monitor Google's Android Security & Privacy bulletins for CVE-2026-0067 remediation details, including affected versions and patch availability. Apply available updates to all managed Android devices via OTA (over-the-air) updates or MDM-driven deployment. Verify patch application by confirming the updated build fingerprint or security patch level on affected devices. Prioritize devices in high-availability environments or user-facing roles to minimize operational disruption. Test patches in a staging environment before full rollout to confirm no regressions with existing applications.
Detection guidance
Detection is challenging without device-level instrumentation or crash logs. Monitor system event logs for unexpected process terminations, service restarts, or device reboots originating from ubsan_throwing_runtime or related memory-safety components. On enterprise-managed devices, enable MDM telemetry to flag devices that repeatedly reboot or experience service failures. Consider deploying endpoint detection and response (EDR) agents on sensitive Android deployments to correlate abnormal termination patterns. Retrospective detection of exploitation attempts may be limited; focus on ensuring patches are deployed before exploitation occurs.
Why prioritize this
Although CVE-2026-0067 carries a CVSS score of 5.5 (Medium), the lack of KEV/CISA tracking and no public active exploitation lower immediate attack urgency compared to critical vulnerabilities. However, the low barrier to exploitation (local user privilege only, no user interaction) and the permanent nature of the denial of service warrant expedited patching within your standard update cycle. Prioritize patches for devices supporting critical business processes or handling sensitive workloads; consider routine patching for consumer or non-critical deployments on a standard maintenance schedule.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects a Medium-severity availability impact confined to local attack scenarios. The vector penalizes the vulnerability for requiring local access (AV:L) and standard user privileges (PR:L), preventing remote or privilege-escalation exploitation. The high availability impact (A:H) and lack of confidentiality or integrity compromise align with permanent denial of service as the only consequence. The score appropriately places this as a moderate but manageable risk that does not warrant emergency response, though timely patching remains important.
Frequently asked questions
Can an attacker exploit this vulnerability remotely or through the network?
No. CVE-2026-0067 is strictly a local vulnerability (AV:L in CVSS). An attacker must have direct access to the device or be an authenticated user on it. Remote exploitation is not possible.
Does exploitation require rooting or special permissions?
No. The vulnerability can be triggered by any process running with standard user privileges (PR:L). Root access is not required, making it accessible to any installed application or local user.
What is the difference between a permanent and temporary denial of service in this context?
Permanent denial of service means the device becomes unresponsive until manually recovered (via restart or device reset), rather than a temporary service disruption that self-resolves. This increases operational impact and recovery effort.
Does this vulnerability appear in the CISA Known Exploited Vulnerabilities (KEV) catalog?
No (kev: false). As of the latest data, CVE-2026-0067 is not tracked in the KEV catalog, indicating no confirmed active exploitation by threat actors has been reported to CISA. This does not guarantee the vulnerability will not be exploited; it simply reflects current threat intelligence.
This analysis is based on published vulnerability data as of June 2026 and does not constitute formal security advice or endorsement of any specific patch version or deployment strategy. Security teams must verify all patch details and version applicability against official Google Android advisories before deployment. The absence of KEV tracking does not guarantee immunity from exploitation. Conduct your own risk assessment based on your device inventory, threat model, and operational requirements. SEC.co provides this intelligence for informational purposes; consult your internal security team or vendor support for authoritative guidance on your specific environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0039MEDIUMAndroid Integer Overflow Denial of Service Vulnerability
- CVE-2026-0040MEDIUMAndroid ubsan_throwing_runtime Integer Overflow DoS Vulnerability
- CVE-2026-0041MEDIUMAndroid UBSan Integer Overflow Remote Denial of Service
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0043MEDIUMAndroid UBSan Integer Overflow Local Privilege Escalation
- CVE-2026-0044MEDIUMAndroid Integer Overflow Denial of Service Vulnerability