Skip to main content
CVE Vulnerability Database

CVE-2026-0044: Google Android DoS Vulnerability

CVE-2026-0044 is a denial of service flaw in Google Android caused by an integer overflow in ubsan_throwing_runtime.cpp. Attackers can remotely crash the system without privileges or user interaction.

Published:

CVE-2026-0044 Overview

CVE-2026-0044 is an integer overflow vulnerability [CWE-190] affecting multiple functions in ubsan_throwing_runtime.cpp within the Android operating system. The flaw allows an attacker to trigger a system crash, resulting in remote denial of service. Exploitation requires no user interaction and no additional execution privileges beyond low-privileged network access. Google addressed the issue in the June 2026 Android Security Bulletin. The vulnerability affects Android 14.0, 15.0, and 16.0, including QPR2 beta builds.

Critical Impact

Remote attackers with low privileges can crash affected Android systems without user interaction, disrupting device availability.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, 2, and 3)

Discovery Timeline

  • 2026-06-01 - Google publishes the Android Security Bulletin addressing CVE-2026-0044
  • 2026-06-01 - CVE-2026-0044 published to NVD
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-0044

Vulnerability Analysis

The vulnerability resides in multiple functions of ubsan_throwing_runtime.cpp, a component associated with the UndefinedBehaviorSanitizer (UBSan) throwing runtime used to report undefined behavior at runtime. An integer overflow condition in these functions can cause the system to enter an unrecoverable state and crash. The flaw produces remote denial of service impact, with confidentiality and integrity left unaffected. Exploitation requires network reachability and a low level of privilege, but no user interaction is required.

Root Cause

The root cause is an arithmetic operation in ubsan_throwing_runtime.cpp that fails to validate operand bounds before computation. When supplied input drives the calculation past the maximum value of the integer type, the result wraps around. This wrap leads to invalid state inside the runtime, triggering a crash in downstream logic that depends on the corrupted value. Classified under [CWE-190] Integer Overflow or Wraparound.

Attack Vector

The attack vector is network-based with low attack complexity. An attacker holding low privileges on the target system can submit crafted input that reaches the vulnerable runtime functions. Because user interaction is not required, the condition can be triggered against exposed services. The result is a process or system crash, denying service to legitimate users. No code execution or data disclosure occurs as a direct consequence of the flaw.

No public proof-of-concept code or exploit is available at the time of disclosure. Technical details are limited to the description in the Android Security Bulletin June 2026.

Detection Methods for CVE-2026-0044

Indicators of Compromise

  • Unexpected process termination or system reboots on Android devices running versions 14.0, 15.0, or 16.0
  • Crash logs referencing ubsan_throwing_runtime or UBSan-related signal handlers
  • Repeated abnormal terminations of the same service tied to specific inbound network requests

Detection Strategies

  • Monitor Android logcat and tombstone files for crashes that reference ubsan_throwing_runtime.cpp symbols or integer overflow signals
  • Correlate device crash telemetry with inbound network traffic patterns to identify potential remote triggers
  • Track patch level fingerprints across the device fleet to identify systems missing the June 2026 security update

Monitoring Recommendations

  • Aggregate mobile device crash reports and security patch level data into a centralized analytics platform for fleet-wide visibility
  • Alert when a device reports the June 2026 or later Android security patch level is absent after the rollout window closes
  • Review network logs for anomalous traffic targeting Android endpoints that precedes crash events

How to Mitigate CVE-2026-0044

Immediate Actions Required

  • Apply the June 2026 Android security patch level (2026-06-01 or later) to all affected devices
  • Inventory all Android 14.0, 15.0, and 16.0 devices and prioritize patching for internet-exposed or high-value endpoints
  • Remove Android 16.0 QPR2 beta builds from production use until they include the fix

Patch Information

Google released the fix as part of the Android Security Bulletin June 2026. Device manufacturers and carriers distribute the patch through their standard over-the-air update channels. Confirm devices report a security patch level of 2026-06-01 or later in system settings.

Workarounds

  • No vendor-supplied workaround is documented; patching is the supported remediation
  • Restrict network exposure of affected devices through segmentation and firewall policies until updates are applied
  • Limit installation of untrusted applications that could supply low-privileged local input to vulnerable runtime functions

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.