CVE-2026-0079 Overview
CVE-2026-0079 is an integer overflow vulnerability [CWE-190] affecting multiple functions in ubsan_throwing_runtime.cpp within Google Android. The flaw can trigger a persistent denial of service condition on affected devices. Exploitation requires local access with low privileges and no user interaction. The vulnerability impacts Android versions 14.0, 15.0, and 16.0, including the QPR2 Beta builds. Google addressed the issue in the June 2026 Android Security Bulletin.
Critical Impact
A local attacker with low privileges can trigger a persistent denial of service on affected Android devices without user interaction.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)
Discovery Timeline
- 2026-06-01 - Google publishes the Android Security Bulletin addressing CVE-2026-0079
- 2026-06-01 - CVE-2026-0079 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-0079
Vulnerability Analysis
The vulnerability resides in multiple functions of ubsan_throwing_runtime.cpp, a component of the Undefined Behavior Sanitizer (UBSan) runtime used within Android. An integer overflow condition in these functions leads to a persistent denial of service state on the affected device.
Because the impact is described as persistent, the condition can affect device usability beyond a single process lifecycle. The CWE-190 classification indicates that an arithmetic operation produces a numeric value outside the representable range of the destination type. This miscalculation drives downstream logic into an unrecoverable error path.
No confidentiality or integrity impact is associated with this issue. The attacker gains no additional execution privileges from triggering the flaw.
Root Cause
The root cause is improper validation of arithmetic operations within the UBSan throwing runtime functions. When unchecked values wrap past the maximum bound of an integer type, subsequent code paths operate on corrupted values. This leads to a stable failure state rather than a transient crash.
Attack Vector
Exploitation requires local access to the device with low privileges. An attacker leverages a local process or application to invoke the vulnerable code paths with crafted inputs that force the integer overflow. User interaction is not required.
Verified proof-of-concept code is not publicly available for this CVE. Refer to the Android Security Bulletin June 2026 for technical details from the vendor.
Detection Methods for CVE-2026-0079
Indicators of Compromise
- Repeated unexpected process termination events tied to UBSan runtime instrumentation in system logs.
- Persistent failure of system services after a local application interacts with sanitizer-instrumented binaries.
- Devices that remain in a degraded state after reboot, requiring factory reset or recovery operations.
Detection Strategies
- Monitor Android logcat output for repeated UBSan abort messages or runtime sanitizer failures originating from non-system applications.
- Correlate application install or update events with subsequent service crashes on managed mobile fleets.
- Track app crash telemetry from Mobile Device Management (MDM) platforms for clusters of failures pointing to the same package.
Monitoring Recommendations
- Enroll devices in an MDM solution that reports OS patch level and flags devices missing the June 2026 security patch.
- Audit installed third-party applications and restrict sideloading on enterprise-managed devices.
- Review crash dumps and stability metrics from device fleets to identify anomalous denial-of-service patterns.
How to Mitigate CVE-2026-0079
Immediate Actions Required
- Apply the June 2026 Android security patch level (2026-06-01 or later) to all affected devices.
- Inventory devices running Android 14.0, 15.0, and 16.0 to confirm patch status across the fleet.
- Remove untrusted applications from affected devices until patches are applied.
Patch Information
Google published the fix in the Android Security Bulletin June 2026. Device manufacturers ship the corresponding security patch level through their normal OTA channels. Confirm that the device reports a security patch level of 2026-06-01 or later after the update.
Workarounds
- Restrict application installation to vetted sources such as Google Play and approved enterprise stores.
- Enforce MDM policies that block sideloading and limit local access on shared or kiosk devices.
- Isolate unpatched devices from sensitive workloads until the June 2026 patch level is applied.
# Verify Android security patch level on a connected device via ADB
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
