Skip to main content
CVE Vulnerability Database

CVE-2026-0072: Google Android Xr Privilege Escalation Flaw

CVE-2026-0072 is a privilege escalation vulnerability in Google Android Xr caused by a missing permission check in InputMethodManagerService. This flaw enables local privilege escalation requiring no user interaction. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0072 Overview

CVE-2026-0072 is a missing authorization vulnerability in Google Android XR. The flaw resides in the addInputMethodListener method of com.android.server.inputmethod.InputMethodManagerService. The method fails to perform a required permission check before registering input method listeners. A local attacker can exploit this gap to escalate privileges without additional execution rights and without user interaction. The weakness is tracked under CWE-285: Improper Authorization and affects Android XR version 14. Google addressed the issue in the Android Security Bulletin June 2026.

Critical Impact

Local applications on Android XR 14 can escalate privileges through the InputMethodManagerService without user interaction or additional execution privileges.

Affected Products

  • Google Android XR version 14
  • Devices running unpatched Android XR 14 builds prior to the June 2026 security patch level
  • com.android.server.inputmethod.InputMethodManagerService system service

Discovery Timeline

  • 2026-06-01 - CVE-2026-0072 published to NVD and disclosed in the Android Security Bulletin
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-0072

Vulnerability Analysis

The vulnerability exists in the addInputMethodListener method of InputMethodManagerService, a privileged system service that brokers input method editor (IME) operations on Android. The method registers callers as listeners for input method events but omits the permission enforcement step required for sensitive system-level APIs.

Without the missing check, an unprivileged local application can invoke the binder interface and register itself as a listener. This grants the caller access to privileged event flows that should be restricted to system or signature-protected components. The result is a local privilege escalation path that requires neither user interaction nor pre-existing elevated rights.

Root Cause

The root cause is improper authorization [CWE-285]. The addInputMethodListener entry point lacks an explicit checkCallingPermission or enforceCallingPermission call against the appropriate signature or system permission. Binder transactions reach the privileged code path without validating the caller identity.

Attack Vector

A malicious application installed on an Android XR 14 device invokes the exposed binder method through the standard InputMethodManager system service interface. Because the service runs with system privileges and trusts the caller, the attacker gains capabilities reserved for privileged components. The Android Security Bulletin classifies the issue with a network-adjacent CVSS attack vector, though exploitation requires local code execution on the device through an installed app.

No public proof-of-concept is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical specifics on the unpatched code path are documented in the Android Security Bulletin June 2026.

Detection Methods for CVE-2026-0072

Indicators of Compromise

  • Unexpected applications registered as input method listeners through InputMethodManagerService
  • Installed applications invoking addInputMethodListener without holding signature-level IME permissions
  • Anomalous binder traffic targeting com.android.server.inputmethod.InputMethodManagerService from non-system UIDs
  • Devices reporting an Android XR security patch level earlier than 2026-06-01

Detection Strategies

  • Inventory Android XR devices and flag any running version 14 with a security patch level prior to June 2026
  • Review installed applications for requests or usage of input method APIs inconsistent with their declared functionality
  • Use mobile threat defense tooling to detect privilege escalation behavior and abuse of system services on managed devices

Monitoring Recommendations

  • Forward Android XR device attestation and patch-level telemetry to a centralized log platform for compliance tracking
  • Alert on installation of unsigned or sideloaded applications on enterprise-managed XR devices
  • Monitor MDM compliance reports for devices stuck on pre-patch builds and quarantine them from sensitive networks

How to Mitigate CVE-2026-0072

Immediate Actions Required

  • Apply the Android XR security patch level 2026-06-01 or later to all affected devices
  • Restrict application installation on Android XR devices to vetted enterprise stores or signed packages
  • Audit installed applications and remove any that request unnecessary input method or accessibility privileges
  • Enforce mobile device management (MDM) policies that block updates from being deferred beyond a defined window

Patch Information

Google released a fix in the June 2026 Android XR security bulletin. Device owners and OEMs should install the patch level 2026-06-01 or later. Refer to the Android Security Bulletin June 2026 for the authoritative patch notes and build references.

Workarounds

  • No vendor-supplied workaround exists; patching is the only complete remediation
  • Limit exposure by preventing untrusted application installs through MDM enrollment and Google Play Protect enforcement
  • Disable sideloading and developer options on production Android XR devices until the patch is applied
bash
# Verify the Android XR security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.