Critical

Privilege escalation in Android InputMethodManagerService addInputMethodListener

IdentifiersCVE-2026-0072CWE-285· Improper Authorization

CVE-2026-0072 is an Android XR-related elevation-of-privilege vulnerability in com.android.server.inputmethod.InputMethodManagerService. The flaw is in the addInputMethodListener method, where a required permission check is missing. Because authorization is not properly enforced before registering or accessing input method listener functionality, a local attacker can interact with this service in an unauthorized manner. Google’s XR bulletin further indicates the issue could allow input text to be read without permission. The vulnerability is associated with Android bug ID A-465135643 and is listed as affecting AOSP version 14.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in local escalation of privilege on the affected Android device. Based on the XR bulletin context, the flaw may also permit unauthorized reading of input text, creating a confidentiality impact in addition to the privilege boundary bypass. No user interaction is required, and no additional execution privileges are needed beyond the attacker’s ability to execute locally on the device.

Mitigation

If you can’t patch tonight, do this now.

If the official patch is not yet available, mitigation information is limited in the provided sources. Practical interim mitigation would be to restrict installation and execution of untrusted local applications, minimize exposure to locally executing code on affected devices, and prioritize deployment of the June 2026 Android/XR security updates. Some Android 10 and later devices may receive the fix through Google Play system updates, where applicable.

Remediation

Patch, then assume compromise.

Apply the vendor-provided Android security update for CVE-2026-0072. Google states that devices with security patch level 2026-06-01 or later address the XR bulletin issues, and the full XR update also includes the 2026-06-05 or later patch level from the June 2026 Android Security Bulletin. The bulletin lists AOSP version 14 as updated for this issue.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleAndroidoperating_system

GoogleAndroid Xroperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cvefeed high severityNews

Jun 1, 2026

CVE-2026-0072 - Android InputMethodManagerService Privilege Escalation

A local privilege escalation vulnerability in Android's InputMethodManagerService caused by a missing permission check in addInputMethodListener.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-0072

NVD

nvd.nist.gov/vuln/detail/CVE-2026-0072

MITRE CWE · CWE-285

Improper Authorization

Vendor Advisory

source.android.com/docs/security/bulletin/xr/2026/2026-06-01