CVE-2026-0043 Overview
CVE-2026-0043 is an integer overflow vulnerability [CWE-190] in multiple functions of ubsan_throwing_runtime.cpp within Google Android. The flaw enables a persistent denial of service that can lead to local escalation of privilege without requiring additional execution privileges or user interaction. Google disclosed the vulnerability in the June 2026 Android Security Bulletin. Affected releases include Android 14, 15, and 16, including the 16.0 QPR2 beta builds. The issue is locally exploitable and impacts availability of the affected device, but does not directly expose data confidentiality or integrity.
Critical Impact
An authenticated local attacker can trigger a persistent denial of service through an integer overflow, potentially leading to local privilege escalation on affected Android devices.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)
Discovery Timeline
- 2026-06-01 - Google publishes the Android Security Bulletin addressing CVE-2026-0043
- 2026-06-01 - CVE-2026-0043 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-0043
Vulnerability Analysis
The vulnerability resides in multiple functions within ubsan_throwing_runtime.cpp, a component of the Undefined Behavior Sanitizer (UBSan) throwing runtime used in Android. An integer overflow condition in this runtime allows a local attacker to trigger a persistent denial of service. Because the affected code path executes within a privileged context, the denial of service can transition into local privilege escalation. No user interaction is required, and the attacker only needs low-level local privileges to trigger the condition.
Root Cause
The root cause is an integer overflow [CWE-190] in arithmetic operations performed by routines in ubsan_throwing_runtime.cpp. When inputs exceed the bounds of the integer type used during runtime checks, the resulting value wraps around. This wrap leads to incorrect memory or control-flow decisions that destabilize the runtime in a persistent manner. The persistence of the denial of service indicates that the corrupted state survives across normal recovery boundaries.
Attack Vector
Exploitation requires local access with low privileges on the target Android device. An attacker with a foothold, such as a malicious or compromised application, invokes the affected runtime functions with crafted inputs that trigger the overflow. Because user interaction is not required, exploitation can occur silently in the background. The full technical specifics are detailed in the Android Security Bulletin – June 2026.
Detection Methods for CVE-2026-0043
Indicators of Compromise
- Repeated process crashes or system service restarts referencing UBSan or ubsan_throwing_runtime in logcat and dropbox logs.
- Persistent boot loops or service unavailability following installation or execution of an untrusted application.
- Unexpected privilege transitions for applications that should not hold elevated capabilities.
Detection Strategies
- Monitor Android device telemetry for abnormal crash frequencies tied to native runtime libraries and sanitizer components.
- Review installed application inventories for sideloaded or unsigned packages that appeared shortly before crash patterns emerged.
- Correlate denial-of-service symptoms with subsequent changes to SELinux contexts or process privileges.
Monitoring Recommendations
- Ingest Android system and security logs into a centralized analytics platform to flag repeated native crashes.
- Track Android patch level (ro.build.version.security_patch) across the managed fleet to confirm devices receive the June 2026 update.
- Alert on devices that remain on the 2026-05-01 or earlier security patch level beyond defined SLA windows.
How to Mitigate CVE-2026-0043
Immediate Actions Required
- Apply the June 2026 Android security patch level (2026-06-01) on all managed devices.
- Enforce mobile device management policies that block sideloading of untrusted applications.
- Restrict installation sources to vetted application stores and audit application permissions on critical devices.
Patch Information
Google addressed CVE-2026-0043 in the June 2026 Android Security Bulletin. Devices must be updated to the 2026-06-01 security patch level or later. Refer to the Android Security Bulletin – June 2026 for vendor-specific update guidance and OEM rollout timelines.
Workarounds
- No vendor-supplied workaround exists; applying the security patch is the only supported remediation.
- Limit exposure by removing untrusted applications and avoiding installation of packages from unknown sources until the patch is deployed.
- Use enterprise mobility management to quarantine devices that cannot receive the June 2026 patch level within policy timelines.
# Verify the Android security patch level on a device
adb shell getprop ro.build.version.security_patch
# Expected output: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

