Skip to main content
CVE Vulnerability Database

CVE-2026-0041: Google Android DOS Vulnerability

CVE-2026-0041 is a denial of service vulnerability in Google Android caused by integer overflow in ubsan_throwing_runtime.cpp. Attackers can trigger remote DOS without privileges. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-0041 Overview

CVE-2026-0041 is an integer overflow vulnerability [CWE-190] affecting multiple functions in ubsan_throwing_runtime.cpp in Google Android. The flaw triggers an Undefined Behavior Sanitizer (UBSan) failure that can lead to remote denial of service. Exploitation requires no user interaction and no additional execution privileges beyond the low-privilege context required by the attack vector. Google addressed the issue in the Android Security Bulletin June 2026.

Critical Impact

A remote attacker with low privileges can trigger an integer overflow in UBSan runtime handling, causing process termination and denial of service across Android 14, 15, and 16 devices.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, 2, and 3)

Discovery Timeline

  • 2026-06-01 - CVE-2026-0041 published to NVD and disclosed in the Android Security Bulletin
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-0041

Vulnerability Analysis

The vulnerability resides in multiple functions within ubsan_throwing_runtime.cpp, a component of the Undefined Behavior Sanitizer (UBSan) runtime used by Android. UBSan is a compile-time instrumentation tool that detects runtime undefined behavior in C and C++ code. When the affected functions process certain inputs, an integer overflow occurs that the runtime cannot handle gracefully.

The overflow forces UBSan to abort execution, terminating the affected process. Because the vulnerable code runs over a network-reachable attack surface and requires only low privileges, a remote attacker can repeatedly invoke the affected paths to trigger process termination. Confidentiality and integrity are not impacted, but availability is high impact according to the CVSS vector.

Root Cause

The root cause is an arithmetic operation in ubsan_throwing_runtime.cpp that exceeds the bounds of its integer type [CWE-190]. The runtime expects sanitized arithmetic but fails to validate intermediate results before they wrap around. When the overflow occurs in the very component responsible for handling undefined behavior, the sanitizer itself fails and aborts the process rather than recovering.

Attack Vector

An attacker reaches the vulnerable code path over the network with low privileges and no user interaction. The attacker crafts input that drives one of the affected functions into the overflowing arithmetic path. Repeated triggering produces a sustained denial of service condition on the targeted Android device.

No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.105%, indicating low predicted exploitation activity. Technical specifics of the affected functions are described in the Android Open Source Project source tree referenced by the Android Security Bulletin June 2026.

Detection Methods for CVE-2026-0041

Indicators of Compromise

  • Unexpected process aborts referencing ubsan_throwing_runtime in Android logcat or tombstone files
  • Repeated crash signatures involving UBSan handlers across a short time window
  • Network traffic from untrusted sources preceding application or system service termination

Detection Strategies

  • Monitor Android tombstone and logcat output for crash entries citing UBSan integer overflow handlers
  • Correlate crash events with inbound network requests to identify remote triggering patterns
  • Track Android build fingerprints against the June 2026 security patch level to identify unpatched devices in fleet inventories

Monitoring Recommendations

  • Aggregate mobile device crash telemetry through MDM or EMM platforms and alert on UBSan-related signatures
  • Inspect network logs for repeated connections that precede device service restarts
  • Track Android security patch level (ro.build.version.security_patch) across managed devices to confirm June 2026 or later

How to Mitigate CVE-2026-0041

Immediate Actions Required

  • Apply the June 2026 Android security patch level (2026-06-01 or later) on all managed devices
  • Inventory devices running Android 14.0, 15.0, and 16.0 and prioritize update deployment
  • Restrict network exposure of affected services until patches are installed

Patch Information

Google released the fix as part of the Android Security Bulletin June 2026. Devices reporting a security patch level of 2026-06-01 or later contain the corrected ubsan_throwing_runtime.cpp code. Original equipment manufacturers (OEMs) distribute the patch through over-the-air updates on their own schedules.

Workarounds

  • Limit untrusted network input to affected Android services through firewall or VPN policies
  • Enforce MDM compliance rules requiring the June 2026 patch level before granting access to corporate resources
  • Disable or restrict third-party applications that expose network listeners on affected devices until patches are applied
bash
# Verify Android security patch level on a device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.