CVE-2026-0079: Android Integer Overflow DoS in ubsan_throwing_runtime
CVE-2026-0079 is a denial-of-service vulnerability in Android's ubsan_throwing_runtime.cpp component. An integer overflow flaw allows a local attacker to crash or hang affected systems persistently without requiring elevated privileges or user interaction. The vulnerability resides in multiple functions within the runtime component responsible for undefined behavior sanitization, making it accessible to processes running with standard user permissions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-190
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to an integer overflow. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from inadequate integer overflow handling in ubsan_throwing_runtime.cpp, a component of Android's runtime environment. Specifically, multiple functions fail to validate integer arithmetic operations before use, triggering integer overflow conditions classified under CWE-190 (Integer Overflow or Wraparound). When exploited, these overflows corrupt internal state or trigger resource exhaustion, resulting in persistent denial of service. The attack surface is local; no network vector exists. The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects low attack complexity, low privilege requirements, and complete availability impact confined to the attacked system.
Business impact
This vulnerability creates operational risk for organizations managing Android deployments. Affected devices can be rendered unavailable or unstable by local processes, disrupting productivity and requiring manual recovery. For enterprise environments relying on Android for critical workflows—field operations, point-of-sale, industrial IoT—persistent denial of service translates directly to downtime costs. The flaw does not compromise confidentiality or integrity, so data exfiltration or tampering is not a concern, but availability degradation can cascade if affected devices support backend services or user workflows.
Affected systems
Google Android is affected across multiple versions. The source data indicates multiple affected product entries without granular version delineation in this record. Organizations must cross-reference official Google Android security advisories to determine which specific Android OS versions and patch levels are vulnerable. Check vendor.google.com/security or your device manufacturer's security bulletin for precise version ranges and affected device models.
Exploitability
The vulnerability is exploitable with relatively low barriers to entry: attackers need only local system access (already available to most user-level processes) and can trigger the flaw without user interaction or social engineering. Attack complexity is low—the integer overflow condition is straightforward to trigger programmatically. No special capabilities, exotic hardware, or privileged access are required. This makes the flaw attractive to local privilege-escalation chains or malicious apps seeking to disable device functionality, though it does not itself elevate privileges.
Remediation
Remediation requires patching to a corrected Android version that includes integer overflow validation in ubsan_throwing_runtime.cpp. Google's security team has addressed this issue; organizations should obtain the patch from their device manufacturer or Google's Android security release notes (published June 2026 or later, per modification date). No workarounds mitigate the underlying code defect—patching is the definitive remediation. Organizations unable to patch immediately should monitor for suspicious local process behavior and restrict sideloading of untrusted applications.
Patch guidance
Verify the exact patched Android version against Google's official June 2026 security advisory for ubsan_throwing_runtime.cpp fixes. Device manufacturers typically bundle security patches into monthly or quarterly updates; check your device manufacturer's support page for availability timelines. If you manage Android devices centrally via MDM, deploy patches via your management console. Test patches in a staging environment first to confirm compatibility with business applications. For devices no longer receiving security updates, consider phased migration to supported Android versions.
Detection guidance
Monitor system logs for crashes or hangs in runtime processes (particularly those related to undefined behavior sanitization). Device telemetry showing repeated spontaneous reboots or process terminations of system runtime services may indicate exploitation attempts. On rooted or debugging-enabled devices, use logcat to observe runtime exceptions with integer overflow signatures. Behavioral anomalies such as apps unexpectedly terminating or the system becoming unresponsive intermittently warrant investigation. Note that legitimate integer overflows in unrelated code may generate similar signals, so correlation with suspicious process origins is important.
Why prioritize this
Although this vulnerability carries a CVSS score of 5.5 (MEDIUM), it warrants prioritized attention because: (1) it requires no user interaction or elevated privileges, lowering the barrier to exploitation; (2) it enables persistent denial of service, affecting availability—a critical concern for operational environments; (3) it resides in a core runtime component, meaning widespread exposure across affected Android versions; (4) malicious applications or local privilege-escalation exploits commonly chain DoS flaws to destabilize targets before further attacks. Organizations with business-critical Android deployments should treat this as a near-term patching priority despite the MEDIUM severity score.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects the availability-only impact (no confidentiality or integrity loss), local-only attack vector, and requirement for low-level user privileges. Attack complexity is low and user interaction is unnecessary, which prevents the score from dropping further. The score does not rise to HIGH because the impact is scoped to the individual affected system and does not propagate to other systems. In practice, the operational risk may exceed the numerical score if the vulnerability is exploited at scale across a large Android device fleet; contextual factors like device criticality and incident response capacity should inform prioritization beyond the CVSS number alone.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-0079 is strictly a local vulnerability (AV:L in CVSS). An attacker must already have local process-level access to the affected Android device to trigger the integer overflow. Network-based exploitation is not possible, though a compromised or malicious application installed on the device could exploit it locally.
Does this vulnerability allow an attacker to steal data or modify files?
No. The vulnerability causes only denial of service (unavailability). The CVSS vector shows C:N (no confidentiality impact) and I:N (no integrity impact). An attacker cannot read, exfiltrate, or corrupt user data; they can only crash or hang processes on the affected device.
Which Android versions are affected?
The source data indicates multiple affected Google Android product entries without specific version numbers in this record. You must consult Google's official Android Security & Privacy Year in Review or the June 2026 security bulletin to identify affected version ranges and device models. Check your device manufacturer's security page for patch availability timelines specific to your devices.
Is there a workaround if we can't patch immediately?
Workarounds are limited because the flaw is in core runtime code. Mitigations include: (1) restricting sideloading of untrusted applications to reduce the attack surface; (2) using MDM policies to enforce app allowlisting; (3) monitoring system stability closely for signs of exploitation; (4) prioritizing patch deployment as soon as manufacturer updates are available. However, only a code-level patch definitively fixes the vulnerability.
This analysis is provided for informational and educational purposes to support vulnerability management decisions. All information herein reflects ground-truth source data current as of the analysis date. Specific patch version numbers, device models, and availability timelines must be verified against official Google Android security advisories and device manufacturer bulletins. SEC.co makes no warranty regarding the completeness or applicability of this intelligence to your specific environment. Organizations are responsible for independently assessing risk, testing patches, and implementing remediation appropriate to their operational context. This document does not constitute legal, compliance, or professional security advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0039MEDIUMAndroid Integer Overflow Denial of Service Vulnerability
- CVE-2026-0040MEDIUMAndroid ubsan_throwing_runtime Integer Overflow DoS Vulnerability
- CVE-2026-0041MEDIUMAndroid UBSan Integer Overflow Remote Denial of Service
- CVE-2026-0043MEDIUMAndroid UBSan Integer Overflow Local Privilege Escalation
- CVE-2026-0044MEDIUMAndroid Integer Overflow Denial of Service Vulnerability
- CVE-2026-0052MEDIUMAndroid Integer Overflow Remote Denial of Service Vulnerability
- CVE-2026-0080MEDIUMAndroid Integer Overflow Remote Denial of Service
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure