CVE-2026-0072 Google CVE debrief

Who should care

Android device administrators, enterprise mobility teams, security operations centers monitoring Android endpoints, and organizations with bring-your-own-device (BYOD) policies

Technical summary

The vulnerability exists in `addInputMethodListener` within `com.android.server.inputmethod.InputMethodManagerService`. A missing permission check allows an attacker to escalate privileges locally without needing additional execution privileges or user interaction. The method is part of the system server responsible for managing input methods on Android. Improper authorization (CWE-285) permits unauthorized callers to register input method listeners, potentially gaining control over input events or system behavior. The CVSS 4.0 vector from NVD indicates maximum impact across confidentiality, integrity, and availability dimensions.

Defensive priority

critical

Recommended defensive actions

• Apply Android security patches from the 2026-06-01 security bulletin as soon as available
• Restrict physical and local network access to unmanaged or unpatched Android devices
• Monitor for anomalous input method service registrations in device logs
• Validate that enterprise mobile device management (MDM) policies enforce timely security update installation
• Review and limit installation of third-party input method editors (IMEs) to trusted sources

Evidence notes

CVE description identifies `addInputMethodListener` in `InputMethodManagerService` as the affected method. CVSS 4.0 vector from NVD source indicates network attack vector with no privileges or user interaction required, though description specifies local exploitation. CWE-285 (Improper Authorization) is listed as secondary weakness. Android security bulletin reference dated 2026-06-01 is the primary source reference. Vendor field shows 'Unknown Vendor' with low-confidence Android attribution from reference domain candidate.

Official resources