CVE-2026-0042 Overview
CVE-2026-0042 is a local denial of service vulnerability affecting multiple functions in ubsan_throwing_runtime.cpp within the Android operating system. The flaw stems from improper resource management that allows an attacker to trigger persistent resource exhaustion. Google published the vulnerability in the Android Security Bulletin June 2026.
Exploitation requires local access with low privileges and no user interaction. A successful attack produces a persistent denial of service condition without granting additional execution privileges. The issue is categorized under [CWE-400] Uncontrolled Resource Consumption.
Critical Impact
A local attacker with low privileges can trigger persistent resource exhaustion in Android, producing a denial of service without user interaction.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)
Discovery Timeline
- 2026-06-01 - Google releases security patch in the Android Security Bulletin
- 2026-06-01 - CVE-2026-0042 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-0042
Vulnerability Analysis
The vulnerability resides in multiple functions of ubsan_throwing_runtime.cpp, the Undefined Behavior Sanitizer (UBSan) throwing runtime component used in Android. UBSan instruments code to detect undefined behavior at runtime, but the throwing variant raises exceptions instead of terminating execution.
The flawed functions fail to bound resource allocation when handling repeated sanitizer events. An attacker who triggers undefined behavior conditions in a controlled manner can force the runtime to consume system resources without release. The resulting exhaustion persists across normal operation and degrades device availability.
The vulnerability impacts only availability. Confidentiality and integrity remain intact, and the attacker gains no execution privileges beyond those already held.
Root Cause
The root cause is uncontrolled resource consumption [CWE-400] within the UBSan throwing runtime. The affected functions do not enforce limits on allocation, retention, or recovery of resources tied to sanitizer-triggered exceptions. Repeated invocation accumulates state that the runtime never releases, producing a persistent denial of service.
Attack Vector
The attack vector is local. An attacker must already have low-privilege code execution on the device, such as through an installed application running with standard permissions. The attacker repeatedly invokes operations that trigger UBSan-monitored conditions, driving the throwing runtime into resource exhaustion. No user interaction is required during exploitation.
No public proof-of-concept code exists for this vulnerability. Refer to the Android Security Bulletin June 2026 for vendor-provided technical details.
Detection Methods for CVE-2026-0042
Indicators of Compromise
- Persistent degradation of device performance or unresponsiveness following installation or execution of an untrusted application.
- Abnormal growth in process memory or handle counts associated with components linking against the UBSan throwing runtime.
- Repeated UBSan diagnostic events in system logs originating from a single process or app.
Detection Strategies
- Monitor Android system logs (logcat) for high-frequency UBSan exception traces tied to a specific package or UID.
- Track per-process resource usage and flag processes that show sustained, unbounded growth in memory or file descriptors.
- Correlate application behavior with EPSS telemetry of 0.005% (27.99th percentile) to prioritize unusual local activity even where exploit likelihood is low.
Monitoring Recommendations
- Enroll devices in mobile device management (MDM) and collect security event telemetry from Android endpoints.
- Alert on applications that generate sustained sanitizer events or that repeatedly crash and restart system components.
- Review installed application inventories to identify untrusted or sideloaded packages on devices running Android 14, 15, or 16.
How to Mitigate CVE-2026-0042
Immediate Actions Required
- Apply the Android security patch level dated 2026-06-01 or later to all affected devices.
- Restrict installation of untrusted applications and disable sideloading on managed devices.
- Audit installed applications for those requesting unusual access or exhibiting abnormal resource consumption.
Patch Information
Google addressed CVE-2026-0042 in the Android Security Bulletin dated June 1, 2026. Device manufacturers integrate this patch into their monthly security updates. Verify that affected devices report a security patch level of 2026-06-01 or later. Refer to the Android Security Bulletin June 2026 for full patch details and source references.
Workarounds
- Limit local code execution by enforcing Google Play Protect and blocking installation from unknown sources.
- Apply MDM policies that restrict app permissions and prevent execution of unverified binaries.
- Reboot affected devices to temporarily clear exhausted resources until patches are applied.
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

