HIGH 7.8

CVE-2026-0072: Android XR InputMethodManagerService Privilege Escalation (CVSS 7.8)

A missing permission check in Android's input method manager allows a local attacker with minimal privileges to escalate their access and take full control of the affected device. No user action is required to exploit this flaw, making it a practical risk in multi-user or compromised environments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-285
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-0072 is a privilege escalation vulnerability in the InputMethodManagerService component (specifically the addInputMethodListener method) of Android XR. The vulnerability stems from inadequate authorization checks on a sensitive function, permitting a low-privileged local process to invoke functionality reserved for system or privileged callers. The attacker gains the ability to modify input method behavior without proper credential validation, leading to complete compromise of device confidentiality, integrity, and availability.

Business impact

This vulnerability poses a significant risk in enterprise deployments of Android XR devices, particularly in shared or BYOD scenarios. Attackers exploiting this flaw can exfiltrate sensitive data, modify device behavior without detection, install malicious input methods to harvest credentials, or deny service. For organizations relying on Android XR for productivity or security-sensitive tasks, unpatched devices become a trusted-network infiltration point.

Affected systems

Google Android XR is the confirmed affected product. Organizations should inventory all Android XR deployments and prioritize testing the availability of vendor patches. Related Android platforms may warrant defensive review depending on shared code paths.

Exploitability

Exploitation requires local system access but no elevated starting privileges and no user interaction. An attacker already present on the device (through another compromise, physical access, or legitimate low-privilege account) can immediately trigger the flaw. The straightforward nature of the missing check makes this vulnerability straightforward to exploit once access is obtained.

Remediation

Apply the latest security patch from Google for Android XR as soon as it becomes available. Organizations should verify patch availability against the official Android Security & Privacy Year in Review and device-specific update schedules. Until patched, restrict physical access and limit installation of untrusted applications on Android XR devices.

Patch guidance

Monitor the Google Android Security & Privacy bulletin and your device manufacturer's security update page for the availability of patches addressing CVE-2026-0072. Apply patches to all Android XR devices in your environment systematically, beginning with production and high-risk deployments. Validate remediation by confirming the patched version is running post-update.

Detection guidance

Detection of exploitation is challenging without behavioral baselines. Monitor for unusual input method installation or modification events in system logs. Implement application allowlisting on Android XR devices to prevent unauthorized input method installation. Detect anomalous process interaction with InputMethodManagerService via audit logging if your deployment supports it. Alert on unexpected privilege escalation patterns tied to input-related processes.

Why prioritize this

The HIGH CVSS 3.1 score (7.8) reflects the combination of local attack surface, complete impact scope (confidentiality, integrity, and availability all compromised), and lack of user interaction or additional privileges required. The absence of KEV status should not lower prioritization—this is a straightforward privilege escalation in a core system service. Organizations should treat this as urgent, especially if Android XR is deployed in sensitive roles.

Risk score, explained

CVSS 3.1 score 7.8 (HIGH) is derived from: local attack vector (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The LOW privilege requirement acknowledges an attacker needs a foothold; however, the complete control achieved elevates severity substantially. Real-world risk is amplified in shared-device scenarios.

Frequently asked questions

Can an attacker exploit this without already being on the device?

No. The vulnerability requires an attacker to already have local access and a low-privilege user context. However, once inside—whether through a prior compromise, social engineering, or physical access—exploitation is immediate and requires no further user interaction.

What is the difference between this and a typical privilege escalation bug?

This flaw is straightforward: a security check was simply omitted from a sensitive function. An attacker with low privileges can directly call a protected input method listener registration function without passing any authorization gates. It is not a logic error or a subtle bypass; it is the absence of a guard that should exist.

Does applying a patch require a device restart?

This depends on the specific patch delivery mechanism. Monitor the official Google advisory for guidance on whether the fix is delivered as an automatic system update or a manual flash. Device reboots are often recommended after critical security patches to ensure all components are fully reloaded.

What should we do if we cannot patch immediately?

Implement compensating controls: restrict physical and network access to Android XR devices, disable installation of applications from untrusted sources, enforce strong authentication for all device users, and monitor system logs for anomalous input method activity. Isolate affected devices from sensitive networks if feasible until patching is complete.

This analysis is based on the publicly disclosed vulnerability details and CVSS vector as of the publication and modification dates listed. Patch availability, specific affected device models, and version numbers should be verified directly against Google's official Android Security & Privacy advisories before deployment. SEC.co makes no warranty regarding the completeness or accuracy of patch availability or the effectiveness of remediation strategies in all environments. Organizations are responsible for testing patches in non-production environments before rollout. Real-world exploitability may vary based on device configuration, access controls, and deployment context. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).