CVE-2026-0072

Vulnerability

In the addInputMethodListener method of com.android.server.inputmethod.InputMethodManagerService, a missing permission check exists. This vulnerability affects the XR component of the Android platform and could allow unauthorized access to input text. User interaction is not required for exploitation.

Exploitation

An attacker with local access to the affected Android device can exploit this vulnerability. By triggering the addInputMethodListener function without the necessary permission checks, an attacker can gain unauthorized access to input text. No additional execution privileges are needed beyond local access.

Impact

Successful exploitation of this vulnerability allows an attacker to read input text without permission, leading to a local escalation of privilege. The scope of the compromise is limited to the information an attacker can glean from the input text, but it does not grant further execution privileges.

Mitigation

This vulnerability is addressed in the June 2026 Android Security Bulletin, with a security patch level of 2026-06-05 or later. Customers are encouraged to update their devices to receive these security patches. The specific XR update includes patches for XR vulnerabilities in addition to the general Android security bulletin [1].