CVE-2026-0067 Overview
CVE-2026-0067 is a local denial of service vulnerability in Google Android. The flaw resides in multiple functions of ubsan_throwing_runtime.cpp, the Undefined Behavior Sanitizer (UBSan) throwing runtime component. A logic error in the code allows a local attacker with low privileges to trigger a permanent denial of service condition. Exploitation requires no user interaction and no additional execution privileges. The vulnerability affects Android versions 14, 15, and 16, including QPR2 beta builds. Google addressed the issue in the Android Security Bulletin June 2026.
Critical Impact
A local attacker can cause a permanent denial of service on affected Android devices without user interaction or elevated privileges.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)
Discovery Timeline
- 2026-06-01 - Google releases Android Security Bulletin addressing CVE-2026-0067
- 2026-06-01 - CVE-2026-0067 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-0067
Vulnerability Analysis
The vulnerability exists in ubsan_throwing_runtime.cpp, a component of the Undefined Behavior Sanitizer (UBSan) runtime used in Android. UBSan detects undefined behavior at runtime and can be configured to throw exceptions when violations occur. A logic error across multiple functions in this runtime allows a local actor to drive the component into a state that produces a permanent denial of service. The condition impacts availability of the affected system or service path. Confidentiality and integrity are not affected, consistent with the documented availability-only impact.
Root Cause
The root cause is a logic error within the throwing runtime functions. The defect is categorized under [NVD-CWE-noinfo] because Google has not published the underlying weakness class. Logic flaws in sanitizer runtimes typically arise from incorrect state handling, recursion into the fault path, or improper exception propagation that prevents recovery.
Attack Vector
Exploitation requires local access to the device with low privileges. No user interaction is needed. An attacker invokes code paths that exercise the flawed UBSan throwing runtime functions, triggering the logic error and producing a persistent denial of service. The attack surface is limited to scenarios where the attacker can execute code on the device, such as through a malicious application.
No public proof-of-concept or exploit code is available. Refer to the Android Security Bulletin June 2026 for vendor technical details.
Detection Methods for CVE-2026-0067
Indicators of Compromise
- Unexpected and recurring service crashes or process termination tied to the UBSan runtime on Android 14, 15, or 16 devices.
- Persistent unavailability of a system component that does not recover after reboot, indicating a permanent denial of service state.
- Installation of untrusted applications shortly before the onset of crash behavior.
Detection Strategies
- Monitor Android device logs (logcat) for repeated UBSan-related fault messages and abnormal termination patterns.
- Compare device patch levels against the June 2026 Android Security Bulletin to identify unpatched fleet endpoints.
- Review mobile threat defense telemetry for applications that trigger sanitizer faults or unusual runtime exceptions.
Monitoring Recommendations
- Enforce mobile device management (MDM) policies that report Android security patch level and flag devices below the June 2026 baseline.
- Track application installation events and correlate with subsequent system stability incidents.
- Aggregate mobile endpoint telemetry into a centralized analytics platform to surface fleet-wide denial of service patterns.
How to Mitigate CVE-2026-0067
Immediate Actions Required
- Apply the June 2026 Android security patch level to all managed Android 14, 15, and 16 devices.
- Identify devices still running pre-patch builds, including Android 16 QPR2 beta variants, and prioritize updates.
- Restrict installation of untrusted applications through enterprise mobility management policies until patches are deployed.
Patch Information
Google published the fix in the Android Security Bulletin June 2026. Device manufacturers integrate the patch into their respective monthly security update streams. Confirm the device security patch level reports 2026-06-01 or later under Android settings.
Workarounds
- Limit installation rights on managed devices to vetted, signed applications from trusted sources only.
- Apply MDM controls that disable sideloading and restrict developer options on production devices.
- Reboot affected devices to restore service availability while remediation patches are being deployed, though this does not address root cause.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
