CVE-2026-0072
Analyzed Analyzed - Analysis Complete
Input Method Manager Service Permission Check Bypass

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: Android (associated with Google Inc. or Open Handset Alliance)

Description
In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-0072
EUVD
EUVD-2026-33728
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
google android_xr 14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0072 is a security vulnerability in the addInputMethodListener function of the InputMethodManagerService component in Android. The issue arises because there is a missing permission check, which means that unauthorized code can interact with this function.

This flaw allows an attacker to escalate their privileges locally without needing any additional execution privileges or user interaction.

Specifically, it could allow input text to be read without permission, leading to an elevation of privilege.

Impact Analysis

This vulnerability can have a significant impact as it allows an attacker to gain elevated privileges on the affected Android device without requiring user interaction or additional execution rights.

An attacker exploiting this flaw could read input text without permission, potentially exposing sensitive information entered by the user.

Because the vulnerability has a maximum severity rating (CVSS 10.0), it represents a critical security risk that could compromise device confidentiality and integrity.

Mitigation Strategies

To mitigate CVE-2026-0072, apply the Android security patch level dated 2026-06-01 which addresses this vulnerability.

Ensure your device is running Android version 14 or later with the latest security updates installed.

Compliance Impact

The vulnerability allows local escalation of privilege without user interaction, potentially enabling unauthorized access to input text. This could lead to unauthorized data exposure, which may impact compliance with data protection regulations such as GDPR and HIPAA that require strict controls on access to personal and sensitive information.

However, the provided information does not explicitly detail the direct effects on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0072. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart