CVE-2026-0080: Android Integer Overflow Remote Denial of Service
CVE-2026-0080 is an integer overflow vulnerability in Google Android's ubsan_throwing_runtime.cpp that allows authenticated attackers to crash affected devices remotely. The flaw requires a valid login but no special permissions, and can be triggered without user interaction—making it a practical denial-of-service vector for an attacker with baseline Android system access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-190
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in multiple functions within ubsan_throwing_runtime.cpp and stems from improper handling of integer arithmetic operations (CWE-190). An integer overflow condition allows a remote attacker with low-privilege credentials to send specially crafted input that causes the runtime to crash. The undefined behavior sanitizer (ubsan) runtime is a component that checks for runtime errors during execution; when the overflow occurs, it leads to an unhandled exception and process termination rather than graceful error handling.
Business impact
Availability is the primary concern. An attacker with any valid Android account credentials can remotely trigger repeated device crashes or service unavailability, degrading user experience and potentially impacting business continuity for organizations relying on Android-based infrastructure or kiosk deployments. There is no confidentiality or integrity risk; the attack is purely denial of service.
Affected systems
This vulnerability affects multiple versions of Google Android. Consult Google's official Android Security & Privacy Release Bulletin to identify the specific Android versions and patch levels that are vulnerable and determine which devices in your fleet are at risk.
Exploitability
The attack has low barriers to entry: it requires only a valid login credential (typical network access requirement for Android services) and can be executed programmatically without user interaction. The CVSS score of 6.5 (MEDIUM) reflects the combination of network accessibility and low privilege requirement, offset by the absence of confidentiality or integrity impact. This is not currently listed on CISA's Known Exploited Vulnerabilities catalog.
Remediation
Apply the security patch released by Google for Android as soon as it becomes available for your device models and OS versions. Patch application should be prioritized for devices exposed to untrusted networks or those handling business-critical workloads. Until patching is complete, consider network-level controls to restrict access to Android services and monitor authentication logs for suspicious account activity.
Patch guidance
Visit Google's Android Security & Privacy Release Bulletin to identify the patch version for your specific Android version and device model. Security updates are typically released monthly. Some devices may require carrier approval before patches propagate, so verify patch availability through your device manufacturer's or carrier's update channels. Test patches in a limited production environment before wide deployment.
Detection guidance
Monitor system logs and crash reports for repeated terminations of ubsan-related processes or the affected runtime component. Network-based detection is challenging since the exploit uses legitimate authentication, but endpoint detection should flag multiple authentication attempts from the same account followed by service crashes. Android devices can forward logs to a Security Information and Event Management (SIEM) system for correlation and alerting.
Why prioritize this
Although this is a medium-severity vulnerability, it should be addressed in your Android patch cycle because it enables simple, unauthenticated-adjacent denial of service with no exploitation complexity. Organizations running Android in critical roles (medical devices, point-of-sale systems, infrastructure management) should prioritize patching. If Android devices in your environment are not exposed to untrusted users with valid credentials, risk can be temporarily mitigated through access controls.
Risk score, explained
The CVSS 3.1 score of 6.5 is driven by: (1) Network-accessible attack vector, (2) Low privilege requirement (authenticated user), (3) No user interaction needed, (4) High availability impact (crash/denial of service), and (5) No confidentiality or integrity impact. The score reflects a meaningful but contained threat that warrants patching within normal security update cycles rather than emergency response.
Frequently asked questions
Do I need a Google account to exploit this vulnerability?
No, you need a valid credential for any Android service or account tied to the affected device or system. This could be a device administrator account, a service account, or any authenticated user depending on the specific deployment. The exact authentication requirement varies by Android version and configuration.
Can this be exploited over the internet, or is it limited to local network access?
It can be exploited remotely over the network (AV:N in the CVSS vector). However, it requires prior authentication, so the attacker must first obtain or already possess valid credentials for an Android service or account.
What is the difference between this and a typical crash bug?
The crash is caused by an integer overflow—a flaw in how the code performs arithmetic on large numbers. This can be more reliably reproduced and weaponized than a random crash, making it a viable denial-of-service attack when combined with authentication access.
Is this vulnerability already being exploited in the wild?
As of the publication date (June 1, 2026), this vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, meaning there is no confirmed evidence of active exploitation. However, the low barrier to exploitation suggests it could be discovered and used opportunistically after disclosure.
This analysis is based on publicly available information as of June 2026. Patch versions, timelines, and detailed exploitation requirements must be verified against Google's official Android Security & Privacy Release Bulletin and relevant device vendor advisories. SEC.co provides this information for security planning purposes; it does not constitute professional security advice tailored to your specific environment. Always conduct your own testing and risk assessment before applying patches or implementing mitigations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0039MEDIUMAndroid Integer Overflow Denial of Service Vulnerability
- CVE-2026-0040MEDIUMAndroid ubsan_throwing_runtime Integer Overflow DoS Vulnerability
- CVE-2026-0041MEDIUMAndroid UBSan Integer Overflow Remote Denial of Service
- CVE-2026-0043MEDIUMAndroid UBSan Integer Overflow Local Privilege Escalation
- CVE-2026-0044MEDIUMAndroid Integer Overflow Denial of Service Vulnerability
- CVE-2026-0052MEDIUMAndroid Integer Overflow Remote Denial of Service Vulnerability
- CVE-2026-0079MEDIUMAndroid Integer Overflow DoS in ubsan_throwing_runtime
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure