Skip to main content
CVE Vulnerability Database

CVE-2026-0043: Google Android DOS Vulnerability

CVE-2026-0043 is a denial of service flaw in Google Android caused by integer overflow in ubsan_throwing_runtime.cpp. This vulnerability enables local privilege escalation. Explore technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0043 Overview

CVE-2026-0043 is an integer overflow vulnerability [CWE-190] in multiple functions of ubsan_throwing_runtime.cpp within Google Android. The flaw enables a persistent denial of service that can lead to local escalation of privilege without requiring additional execution privileges or user interaction. Google disclosed the vulnerability in the June 2026 Android Security Bulletin. Affected releases include Android 14, 15, and 16, including the 16.0 QPR2 beta builds. The issue is locally exploitable and impacts availability of the affected device, but does not directly expose data confidentiality or integrity.

Critical Impact

An authenticated local attacker can trigger a persistent denial of service through an integer overflow, potentially leading to local privilege escalation on affected Android devices.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)

Discovery Timeline

  • 2026-06-01 - Google publishes the Android Security Bulletin addressing CVE-2026-0043
  • 2026-06-01 - CVE-2026-0043 published to NVD
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-0043

Vulnerability Analysis

The vulnerability resides in multiple functions within ubsan_throwing_runtime.cpp, a component of the Undefined Behavior Sanitizer (UBSan) throwing runtime used in Android. An integer overflow condition in this runtime allows a local attacker to trigger a persistent denial of service. Because the affected code path executes within a privileged context, the denial of service can transition into local privilege escalation. No user interaction is required, and the attacker only needs low-level local privileges to trigger the condition.

Root Cause

The root cause is an integer overflow [CWE-190] in arithmetic operations performed by routines in ubsan_throwing_runtime.cpp. When inputs exceed the bounds of the integer type used during runtime checks, the resulting value wraps around. This wrap leads to incorrect memory or control-flow decisions that destabilize the runtime in a persistent manner. The persistence of the denial of service indicates that the corrupted state survives across normal recovery boundaries.

Attack Vector

Exploitation requires local access with low privileges on the target Android device. An attacker with a foothold, such as a malicious or compromised application, invokes the affected runtime functions with crafted inputs that trigger the overflow. Because user interaction is not required, exploitation can occur silently in the background. The full technical specifics are detailed in the Android Security Bulletin – June 2026.

Detection Methods for CVE-2026-0043

Indicators of Compromise

  • Repeated process crashes or system service restarts referencing UBSan or ubsan_throwing_runtime in logcat and dropbox logs.
  • Persistent boot loops or service unavailability following installation or execution of an untrusted application.
  • Unexpected privilege transitions for applications that should not hold elevated capabilities.

Detection Strategies

  • Monitor Android device telemetry for abnormal crash frequencies tied to native runtime libraries and sanitizer components.
  • Review installed application inventories for sideloaded or unsigned packages that appeared shortly before crash patterns emerged.
  • Correlate denial-of-service symptoms with subsequent changes to SELinux contexts or process privileges.

Monitoring Recommendations

  • Ingest Android system and security logs into a centralized analytics platform to flag repeated native crashes.
  • Track Android patch level (ro.build.version.security_patch) across the managed fleet to confirm devices receive the June 2026 update.
  • Alert on devices that remain on the 2026-05-01 or earlier security patch level beyond defined SLA windows.

How to Mitigate CVE-2026-0043

Immediate Actions Required

  • Apply the June 2026 Android security patch level (2026-06-01) on all managed devices.
  • Enforce mobile device management policies that block sideloading of untrusted applications.
  • Restrict installation sources to vetted application stores and audit application permissions on critical devices.

Patch Information

Google addressed CVE-2026-0043 in the June 2026 Android Security Bulletin. Devices must be updated to the 2026-06-01 security patch level or later. Refer to the Android Security Bulletin – June 2026 for vendor-specific update guidance and OEM rollout timelines.

Workarounds

  • No vendor-supplied workaround exists; applying the security patch is the only supported remediation.
  • Limit exposure by removing untrusted applications and avoiding installation of packages from unknown sources until the patch is deployed.
  • Use enterprise mobility management to quarantine devices that cannot receive the June 2026 patch level within policy timelines.
bash
# Verify the Android security patch level on a device
adb shell getprop ro.build.version.security_patch
# Expected output: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.