How is CVE-2026-0072 exploited?

Network reachability (required): The CVSS v4.0 vector specifies AV:N, meaning the attacker must be able to reach the affected service over the network to deliver the exploit. Authentication (not-required): PR:N indicates no account or credentials are needed; an anonymous or unprivileged caller can trigger the missing permission check directly. Victim interaction (not-required): UI:N confirms that no user action such as clicking a link or opening a file is required for exploitation to succeed. Attack complexity (info): AC:L means the exploit is reliable and condition-free, with no race conditions or specific memory layout requirements necessary.

What is the impact of CVE-2026-0072?

Reads confidential data stored on the device, including session tokens, credentials, and user records (VC:H). Writes or modifies persisted data and system state on the device (VI:H). Crashes or disrupts the affected service on the device (VA:H). Compromises confidentiality, integrity, and availability of components beyond the immediate application scope, including system-level resources (SC:H, SI:H, SA:H).

Back to search

CRITICALCVE-2026-0072Published 2026-06-01Modified 2026-06-01CNA google_android

CVE-2026-0072: In addInputMethodListener of com

In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A missing permission check in the Android XR InputMethodManagerService allows an unprivileged application to register as an input method listener without any authorization. The vulnerability is reachable over the network according to the CVSS v4.0 vector, requires no authentication, and needs no user interaction. Successful exploitation grants full read and write access to data on the device and can disrupt service availability. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-0072 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Android XR images, in connected registries and CI pipelines. Any image containing an affected version of Android XR 14 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at its full CVSS v4.0 severity of 10.0 (Critical) and weighting that score against each customer organization's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer org is available immediately on detection.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, the CVE remains flagged as an open critical finding in each affected customer environment.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The CVSS v4.0 vector specifies AV:N, meaning the attacker must be able to reach the affected service over the network to deliver the exploit.
AuthenticationNot required
PR:N indicates no account or credentials are needed; an anonymous or unprivileged caller can trigger the missing permission check directly.
Victim interactionNot required
UI:N confirms that no user action such as clicking a link or opening a file is required for exploitation to succeed.
Attack complexityDetail
AC:L means the exploit is reliable and condition-free, with no race conditions or specific memory layout requirements necessary.

Blast Radius

Reads confidential data stored on the device, including session tokens, credentials, and user records (VC:H).
Writes or modifies persisted data and system state on the device (VI:H).
Crashes or disrupts the affected service on the device (VA:H).
Compromises confidentiality, integrity, and availability of components beyond the immediate application scope, including system-level resources (SC:H, SI:H, SA:H).

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-0072 at this time, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment Google publishes a fix for Android XR 14. In the interim, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict which workloads can reach services exposing the affected InputMethodManagerService component, egress filtering to limit lateral movement if exploitation occurs, and feature-flag gating to disable input method listener registration where the functionality is not required. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a pull request opened against affected workloads will be triggered automatically once a fix version is published upstream, with a typical median time from CVE publication to merged patch PR of around 90 minutes for critical-severity issues in environments with auto-remediation active.

See how HarborGuard automates this

Affected packages

Google / Android XR
14

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

source.android.com

Metrics

Get notified