Skip to main content

Android XR CVE-2026-0072

| EUVD-2026-33728 CRITICAL
Improper Authorization (CWE-285)
2026-06-01 google_android GHSA-q4x3-4f53-mg6q
Authentication Bypass Privilege Escalation Google
10.0
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 01, 2026 - 19:38 vuln.today
CVSS changed
Jun 01, 2026 - 19:22 NVD
10.0 (CRITICAL)
CVE Published
Jun 01, 2026 - 17:38 nvd
CRITICAL 10.0

DescriptionNVD

In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android XR stems from a missing permission check in InputMethodManagerService.addInputMethodListener, allowing an app or local context to register input method listeners without the authorization the IME subsystem normally requires. The flaw needs no user interaction and no additional execution privileges, and is addressed in the June 2026 Android XR security bulletin; no public exploit identified at time of analysis.

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory Android XR deployments, restrict app installations via mobile device management, and implement activity monitoring on InputMethodManagerService. Within 7 days: Verify Android XR security bulletin updates and establish patch readiness procedures. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-10881 CRITICAL
9.6 Jun 04

Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 149.0.7827.53 allows a remote attacker to trigge
CVE-2026-10886 CRITICAL
9.6 Jun 04

Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers to exploit a use-after-free cond
CVE-2026-10966 CRITICAL
9.6 Jun 04

Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers to break out of the renderer pro
CVE-2026-10971 CRITICAL
9.6 Jun 04

Sandbox escape in Google Chrome on Windows prior to 149.0.7827.53 allows a remote attacker who has already compromised t
CVE-2026-10974 CRITICAL
9.6 Jun 04

Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 149.0.7827.53 allows a remote attacker to break

Share

CVE-2026-0072 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy