Description
In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a missing permission check in the addInputMethodListener method of com.android.server.inputmethod.InputMethodManagerService. Without this guard, any application running locally on the device can register an InputMethodService instance and obtain higher privileges. The exploit does not require any extra execution rights or user interaction, enabling a silent local privilege escalation.

Affected Systems

The vulnerability targets Google Android XR devices. No specific version numbers are provided, so it is presumed to affect all current releases until a vendor patch is applied.

Risk and Exploitability

This issue scores a CVSS of 10, classifying it as critical. The EPSS score is not published, but the flaw can be triggered from any local context without network involvement. While it is not listed in CISA’s KEV catalog, the lack of a KEV entry does not reduce the inherent risk. Attackers can exploit the missing permission check to elevate privileges silently and potentially alter system components, compromising the integrity of the device.

Generated by OpenCVE AI on June 1, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android XR update from Google that addresses the missing permission check.
  • Verify that installed third‑party InputMethodService applications are not granted unmanaged listener access beyond necessary permissions.
  • If an update is unavailable, use device administration or enterprise mobility management to block third‑party input method services until the patch is applied.

Generated by OpenCVE AI on June 1, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Missing Permission Check in InputMethodManagerService Enables Local Privilege Escalation

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-01T19:14:42.058Z

Reserved: 2025-10-15T15:40:56.908Z

Link: CVE-2026-0072

cve-icon Vulnrichment

Updated: 2026-06-01T19:14:38.598Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T19:16:19.337

Modified: 2026-06-02T13:04:00.123

Link: CVE-2026-0072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:00:15Z

Weaknesses