Skip to main content
CVE Vulnerability Database

CVE-2026-0051: Google Android DoS Vulnerability

CVE-2026-0051 is a denial of service vulnerability in Google Android caused by improper input validation in ubsan_throwing_runtime.cpp. Attackers can trigger remote system crashes without privileges or user interaction.

Published:

CVE-2026-0051 Overview

CVE-2026-0051 is an input validation vulnerability in Google Android. The flaw resides in multiple functions of ubsan_throwing_runtime.cpp, the Undefined Behavior Sanitizer (UBSan) throwing runtime component. Improper input validation allows a remote attacker to trigger a system crash without user interaction. Exploitation requires low privileges and produces a denial-of-service condition on affected devices.

The vulnerability is categorized under [CWE-20] (Improper Input Validation) and affects Android versions 14, 15, and 16, including pre-release qpr2_beta builds. Google addressed the issue in the June 2026 Android Security Bulletin.

Critical Impact

Remote attackers can crash affected Android systems without user interaction, resulting in service disruption across Android 14, 15, and 16 devices.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including qpr2_beta_1, qpr2_beta_2, and qpr2_beta_3)

Discovery Timeline

  • 2026-06-01 - Google publishes Android Security Bulletin addressing CVE-2026-0051
  • 2026-06-01 - CVE-2026-0051 published to NVD
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-0051

Vulnerability Analysis

The vulnerability exists in multiple functions of ubsan_throwing_runtime.cpp. This file implements the Undefined Behavior Sanitizer throwing runtime, a compiler instrumentation component used by Android to identify undefined behavior at runtime. The affected functions fail to validate input properly before processing, leading to a reachable abort or crash condition.

When an attacker supplies malformed input to a code path that reaches the affected runtime functions, the process terminates abnormally. The attack vector is network-based and requires no user interaction. Successful exploitation does not grant code execution or information disclosure, but it does break availability of affected services or system components.

The vulnerability affects confidentiality and integrity at no impact, while availability impact is high. The scope remains unchanged, meaning the crash is confined to the vulnerable component's security boundary.

Root Cause

The root cause is improper input validation [CWE-20] in the UBSan throwing runtime. The functions accept input that should be rejected or sanitized before further processing. When the runtime receives unexpected values, it reaches an error path that terminates the process rather than handling the condition gracefully.

Attack Vector

The attack vector is network-accessible. An attacker with low privileges on a remote system can send crafted input that traverses to the vulnerable runtime functions. Because user interaction is not required, the vulnerability can be triggered automatically once the attacker has network reachability and the minimum privilege level required. Repeated triggering enables a sustained denial-of-service condition.

No verified proof-of-concept code is publicly available. For implementation specifics, refer to the Android Security Bulletin June 2026.

Detection Methods for CVE-2026-0051

Indicators of Compromise

  • Unexpected process termination events referencing ubsan runtime symbols in Android system logs
  • Repeated application or service crash reports originating from the same remote source
  • Anomalous tombstone files generated by the Android crash reporting subsystem correlated with network input

Detection Strategies

  • Monitor Android system logs (logcat, dropbox) for abnormal frequency of crashes referencing sanitizer runtimes
  • Correlate device crash telemetry with network-layer events to identify remote denial-of-service patterns
  • Track Android version inventory to identify devices running unpatched 14.0, 15.0, or 16.0 builds against the June 2026 patch level

Monitoring Recommendations

  • Aggregate mobile device crash reports in a centralized logging platform for trend analysis
  • Alert on repeated service unavailability events tied to identifiable network sources
  • Track patch-level compliance against the June 2026 Android Security Bulletin across the managed device fleet

How to Mitigate CVE-2026-0051

Immediate Actions Required

  • Apply the June 2026 Android security patch level (2026-06-01) to all affected devices
  • Inventory all Android 14, 15, and 16 devices and prioritize patching for internet-facing or business-critical systems
  • Remove or restrict Android 16 qpr2_beta builds from production use until patched builds are deployed

Patch Information

Google released the fix in the Android Security Bulletin June 2026. Devices reporting a security patch level of 2026-06-01 or later include the remediation. OEM rollouts vary, so confirm vendor-specific updates for affected device models.

Workarounds

  • Restrict network exposure of affected Android devices using mobile device management (MDM) network policies until patches are applied
  • Disable or limit access to services that expose the vulnerable code path to untrusted networks
  • Enforce mobile device management policies that block enrollment of devices below the required patch level

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.