CVE-2026-0039 Overview
CVE-2026-0039 is an integer overflow vulnerability [CWE-190] affecting multiple functions in ubsan_throwing_runtime.cpp within Google Android. The flaw allows an attacker to trigger a persistent denial of service condition without requiring user interaction. Exploitation requires low privileges and can be launched over the network. The vulnerability impacts Android versions 14.0, 15.0, and 16.0, including the QPR2 beta releases. Google addressed the issue in the Android Security Bulletin June 2026.
Critical Impact
Successful exploitation results in a persistent denial of service that disrupts device availability without granting any code execution or data access privileges.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)
Discovery Timeline
- 2026-06-01 - Google publishes the Android Security Bulletin addressing CVE-2026-0039
- 2026-06-01 - CVE-2026-0039 published to the National Vulnerability Database (NVD)
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-0039
Vulnerability Analysis
The vulnerability resides in ubsan_throwing_runtime.cpp, which is part of the Undefined Behavior Sanitizer (UBSan) throwing runtime used by Android. Multiple functions in this file contain an integer overflow condition that an attacker can trigger remotely. When exploited, the overflow causes a persistent denial of service affecting device availability. The issue is classified under [CWE-190] (Integer Overflow or Wraparound). The Exploit Prediction Scoring System (EPSS) places exploitation probability at 0.105% with a percentile of 28.107, indicating low near-term exploitation likelihood. No public proof-of-concept exists at the time of publication, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is improper bounds checking on integer arithmetic within the UBSan throwing runtime. When values exceed expected ranges, the arithmetic wraps and produces invalid state. The downstream code paths then enter a condition that prevents normal operation from resuming, producing a persistent denial of service rather than a transient crash.
Attack Vector
An attacker with low-privilege network access can deliver crafted input that reaches the vulnerable functions in ubsan_throwing_runtime.cpp. No user interaction is required for exploitation. The attack does not yield confidentiality or integrity impact, but it produces high availability impact on the affected Android device. Refer to the Android Security Bulletin June 2026 for additional technical context.
Detection Methods for CVE-2026-0039
Indicators of Compromise
- Repeated application or system service crashes referencing ubsan_throwing_runtime in Android logs (logcat).
- Devices entering persistent unresponsive states that require reboot or factory reset to restore service.
- Anomalous network traffic patterns targeting Android endpoints from low-privilege authenticated sources.
Detection Strategies
- Aggregate Android logcat and tombstone files in a centralized telemetry pipeline and alert on UBSan-related abort signatures.
- Correlate device availability loss events with preceding inbound network activity from authenticated sessions.
- Track Android version inventory to identify devices running 14.0, 15.0, or 16.0 prior to the June 2026 patch level.
Monitoring Recommendations
- Monitor Android device fleets for crash loops and unexpected service restarts following remote network sessions.
- Track patch level adoption against the 2026-06-01 Android security patch level across managed devices.
- Alert on repeated authentication followed by abnormal application termination on the same device.
How to Mitigate CVE-2026-0039
Immediate Actions Required
- Apply the Android security patch level dated 2026-06-01 or later to all affected devices.
- Inventory all Android 14.0, 15.0, and 16.0 devices, including QPR2 beta builds, and prioritize patching.
- Restrict network exposure of affected devices until patches are deployed, particularly on untrusted networks.
Patch Information
Google released the fix in the Android Security Bulletin June 2026. Device manufacturers ship the patch through their respective over-the-air update channels. Enterprises managing Android fleets should enforce patch compliance through their mobile device management (MDM) platform and verify the security patch level on each device after update.
Workarounds
- Remove devices from QPR2 beta channels and move to stable releases that include the June 2026 patch level.
- Limit network access to affected devices through network segmentation or VPN-only connectivity until patched.
- Disable or restrict applications that expose network-accessible services on unpatched devices.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

