CVE-2025-26450
published 2025-09-04CVE-2025-26450: In onInputEvent of IInputMethodSessionWrapper.java, there is a possible way for an untrusted app to inject key and motion events to the default IME due to a…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In onInputEvent of IInputMethodSessionWrapper.java, there is a possible way for an untrusted app to inject key and motion events to the default IME due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| platform | frameworks_base | >= 13:0 < 13:2025-06-01 | 13:2025-06-01 |
| platform | frameworks_base | >= 14:0 < 14:2025-06-01 | 14:2025-06-01 |
| platform | frameworks_base | >= 15:0 < 15:2025-06-01 | 15:2025-06-01 |
| platform | frameworks_base | >= 16-next:0 < 16-next:2025-06-01 | 16-next:2025-06-01 |
Android
CVE-2025-26450: Android Security Bulletin 2025-06-01
CVE: CVE-2025-26450
Severity: HIGH
Type: EoP
Affected AOSP versions: 13, 14, 15
References: A-331730488
vendor_android·2025-06-01·CVSS 7.8
CVE-2025-26450 [HIGH] CVE-2025-26450: Android Security Bulletin 2025-06-01
CVE: CVE-2025-26450
Severity: HIGH
Type: EoP
Affected AOSP versions: 13, 14, 15
References: A-331730488
Android Security Bulletin 2025-06-01
CVE: CVE-2025-26450
Severity: HIGH
Type: EoP
Affected AOSP versions: 13, 14, 15
References: A-331730488
GHSA
GHSA-6qrx-pf57-6vqf: In onInputEvent of IInputMethodSessionWrapper
ghsa_unreviewed·2025-09-05
CVE-2025-26450 [HIGH] CWE-862 GHSA-6qrx-pf57-6vqf: In onInputEvent of IInputMethodSessionWrapper
In onInputEvent of IInputMethodSessionWrapper.java, there is a possible way for an untrusted app to inject key and motion events to the default IME due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
OSV
CVE-2025-26450: In onInputEvent of IInputMethodSessionWrapper
osv·2025-06-01
CVE-2025-26450 CVE-2025-26450: In onInputEvent of IInputMethodSessionWrapper
In onInputEvent of IInputMethodSessionWrapper.java, there is a possible way for an untrusted app to inject key and motion events to the default IME due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-04
Published