In onInputEvent of IInputMethodSessionWrapper.java, there is a possible way for an untrusted app to inject key and motion events to the default IME due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "253028914726280539825162523973783643965", "206739945316017438873574398788485641300", "266910084218682548691790128036112675259", "185372306841454454408454239359307096468", "284494418566078988650496289076205119993", "25802988984152440496376130864413880558", "200039421099050081133101928042838238067" ] }, "id": "ASB-A-331730488-0b322e4a", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/1a0e562bf1561180c5ce5b159ea8f6e41795a5ec", "signature_version": "v1", "signature_type": "Line", "target": { "file": "core/java/android/inputmethodservice/InputMethodService.java" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "328651147336952458180860785826680765228", "96466046636153201550061560713624272950", "77265090412007134642388576780470855016", "73737917085226567783077328738629205306", "276867639101224459919476091191065327455", "147366463899983307002147959728147036", "311702867855631226172695613643118024261" ] }, "id": "ASB-A-331730488-0b6664d8", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/1a0e562bf1561180c5ce5b159ea8f6e41795a5ec", "signature_version": "v1", "signature_type": "Line", "target": { "file": "core/java/android/inputmethodservice/AbstractInputMethodService.java" } }, { "digest": { "function_hash": "15227724865056872858497255391329434705", "length": 246.0 }, "id": "ASB-A-331730488-15582c29", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/1a0e562bf1561180c5ce5b159ea8f6e41795a5ec", "signature_version": "v1", "signature_type": "Function", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java", "function": "IInputMethodSessionWrapper" } }, { "digest": { "function_hash": "15227724865056872858497255391329434705", "length": 246.0 }, "id": "ASB-A-331730488-2861e4c5", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/47414432d61ce79083505ff013372d68eb058fc6", "signature_version": "v1", "signature_type": "Function", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java", "function": "IInputMethodSessionWrapper" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "172848984163638007286105947422733921543", "847155060487531221374269903456783277", "111993470439390836194117260640431436697", "104750934806643600617597844639565733695", "75158882118009371071361023465821430667", "135871466146989901191426208127471819357", "308381696451116297295944943316080989956", "34927004352094911621456960342404422472", "264010978195772620682918915318109148375", "257405580271605283524176509605242808267", "63841418663469056891104465294179817172", "226278951419627437239791060782236326012", "57144290942498080497278314675187691415", "294291249857791155796089438124406141944", "6676187597761962266827575857744206726", "277845359819353882831128656289592381607", "332188674809392788061235438211348027992", "12244925195177707402219998115124248782", "14371573940702669578642295716403270786", "33527069975899517067426501402678416668", "98288309644282461078565607248542740762", "225357228333330399650379320798426232389", "329357067270808955607109134920522439021", "90231326960727631371073822777348269933", "172017409234811981036246676321776045885", "61947651977670693095880371723143000154", "216452831304761845070416103803800894320", "176576332023145313246070320348097270531", "12869687358214909485317219873106197369", "114010758058012026204360729466043416633", "180392173072050675894708699977201896479", "108587633537507210242609878158511307392" ] }, "id": "ASB-A-331730488-48023c87", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/47414432d61ce79083505ff013372d68eb058fc6", "signature_version": "v1", "signature_type": "Line", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "109962503331004009652337911159454565852", "92265826247961563126125019730013137549", "75563199640304218559070515510244479073", "88130024757704395230255689040303933651" ] }, "signature_version": "v1", "source": "https://android.googlesource.com/platform/frameworks/base/+/1a0e562bf1561180c5ce5b159ea8f6e41795a5ec", "id": "ASB-A-331730488-69b5320a", "deprecated": false, "match_only_versions": [ "16-next" ], "signature_type": "Line", "target": { "file": "core/java/android/view/inputmethod/InputMethodSession.java" } }, { "digest": { "function_hash": "61679241690974432802943552968499161217", "length": 537.0 }, "id": "ASB-A-331730488-7d9dce0a", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/1a0e562bf1561180c5ce5b159ea8f6e41795a5ec", "signature_version": "v1", "signature_type": "Function", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java", "function": "onInputEvent" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "109962503331004009652337911159454565852", "92265826247961563126125019730013137549", "75563199640304218559070515510244479073", "88130024757704395230255689040303933651" ] }, "signature_version": "v1", "source": "https://android.googlesource.com/platform/frameworks/base/+/47414432d61ce79083505ff013372d68eb058fc6", "id": "ASB-A-331730488-95b923c1", "deprecated": false, "match_only_versions": [ "16-next" ], "signature_type": "Line", "target": { "file": "core/java/android/view/inputmethod/InputMethodSession.java" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "314805309586719012574927808313753788272", "252083341114277273854226940887204903838", "4334948302359925559173835269260902851", "17766630800612098338813833936091966324", "145832304135191506795045817912088579569", "44378097996061953417066740617599083435" ] }, "id": "ASB-A-331730488-b4cfc1ed", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/d12c5fe88d4d737afea9a57f3f928ed4186737cc", "signature_version": "v1", "signature_type": "Line", "target": { "file": "core/java/android/view/inputmethod/InputMethodSession.java" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "253028914726280539825162523973783643965", "206739945316017438873574398788485641300", "266910084218682548691790128036112675259", "185372306841454454408454239359307096468", "284494418566078988650496289076205119993", "25802988984152440496376130864413880558", "200039421099050081133101928042838238067" ] }, "id": "ASB-A-331730488-c126f219", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/47414432d61ce79083505ff013372d68eb058fc6", "signature_version": "v1", "signature_type": "Line", "target": { "file": "core/java/android/inputmethodservice/InputMethodService.java" } }, { "digest": { "function_hash": "61679241690974432802943552968499161217", "length": 537.0 }, "id": "ASB-A-331730488-c5bd6f06", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/47414432d61ce79083505ff013372d68eb058fc6", "signature_version": "v1", "signature_type": "Function", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java", "function": "onInputEvent" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "172848984163638007286105947422733921543", "847155060487531221374269903456783277", "111993470439390836194117260640431436697", "104750934806643600617597844639565733695", "75158882118009371071361023465821430667", "135871466146989901191426208127471819357", "308381696451116297295944943316080989956", "34927004352094911621456960342404422472", "264010978195772620682918915318109148375", "257405580271605283524176509605242808267", "63841418663469056891104465294179817172", "226278951419627437239791060782236326012", "57144290942498080497278314675187691415", "294291249857791155796089438124406141944", "6676187597761962266827575857744206726", "277845359819353882831128656289592381607", "332188674809392788061235438211348027992", "12244925195177707402219998115124248782", "14371573940702669578642295716403270786", "33527069975899517067426501402678416668", "98288309644282461078565607248542740762", "225357228333330399650379320798426232389", "329357067270808955607109134920522439021", "90231326960727631371073822777348269933", "172017409234811981036246676321776045885", "61947651977670693095880371723143000154", "216452831304761845070416103803800894320", "176576332023145313246070320348097270531", "12869687358214909485317219873106197369", "114010758058012026204360729466043416633", "180392173072050675894708699977201896479", "108587633537507210242609878158511307392" ] }, "id": "ASB-A-331730488-f0a227d0", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/1a0e562bf1561180c5ce5b159ea8f6e41795a5ec", "signature_version": "v1", "signature_type": "Line", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "328651147336952458180860785826680765228", "96466046636153201550061560713624272950", "77265090412007134642388576780470855016", "73737917085226567783077328738629205306", "276867639101224459919476091191065327455", "147366463899983307002147959728147036", "311702867855631226172695613643118024261" ] }, "id": "ASB-A-331730488-f8af89dd", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/47414432d61ce79083505ff013372d68eb058fc6", "signature_version": "v1", "signature_type": "Line", "target": { "file": "core/java/android/inputmethodservice/AbstractInputMethodService.java" } } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/1a0e562bf1561180c5ce5b159ea8f6e41795a5ec", "https://android.googlesource.com/platform/frameworks/base/+/d12c5fe88d4d737afea9a57f3f928ed4186737cc", "https://android.googlesource.com/platform/frameworks/base/+/47414432d61ce79083505ff013372d68eb058fc6" ], "spl": "2025-06-01" }
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "function_hash": "15227724865056872858497255391329434705", "length": 246.0 }, "id": "ASB-A-331730488-910d8695", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/9fe5a77f7a48f891e87898b7a97361c6355c0dcd", "signature_version": "v1", "signature_type": "Function", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java", "function": "IInputMethodSessionWrapper" } }, { "digest": { "function_hash": "61679241690974432802943552968499161217", "length": 537.0 }, "id": "ASB-A-331730488-f6c31aa8", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/9fe5a77f7a48f891e87898b7a97361c6355c0dcd", "signature_version": "v1", "signature_type": "Function", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java", "function": "onInputEvent" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "172848984163638007286105947422733921543", "847155060487531221374269903456783277", "111993470439390836194117260640431436697", "104750934806643600617597844639565733695", "75158882118009371071361023465821430667", "135871466146989901191426208127471819357", "308381696451116297295944943316080989956", "34927004352094911621456960342404422472", "264010978195772620682918915318109148375", "257405580271605283524176509605242808267", "63841418663469056891104465294179817172", "226278951419627437239791060782236326012", "57144290942498080497278314675187691415", "294291249857791155796089438124406141944", "6676187597761962266827575857744206726", "277845359819353882831128656289592381607", "332188674809392788061235438211348027992", "12244925195177707402219998115124248782", "14371573940702669578642295716403270786", "33527069975899517067426501402678416668", "98288309644282461078565607248542740762", "225357228333330399650379320798426232389", "329357067270808955607109134920522439021", "90231326960727631371073822777348269933", "172017409234811981036246676321776045885", "61947651977670693095880371723143000154", "216452831304761845070416103803800894320", "176576332023145313246070320348097270531", "12869687358214909485317219873106197369", "114010758058012026204360729466043416633", "180392173072050675894708699977201896479", "108587633537507210242609878158511307392" ] }, "id": "ASB-A-331730488-fa8cbc95", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/9fe5a77f7a48f891e87898b7a97361c6355c0dcd", "signature_version": "v1", "signature_type": "Line", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java" } } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/9fe5a77f7a48f891e87898b7a97361c6355c0dcd" ], "spl": "2025-06-01" }
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "function_hash": "61679241690974432802943552968499161217", "length": 537.0 }, "id": "ASB-A-331730488-55a9c14a", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/ca6ddbf971648d2661e3f6f9d3578731bf415ce6", "signature_version": "v1", "signature_type": "Function", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java", "function": "onInputEvent" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "172848984163638007286105947422733921543", "847155060487531221374269903456783277", "111993470439390836194117260640431436697", "104750934806643600617597844639565733695", "75158882118009371071361023465821430667", "135871466146989901191426208127471819357", "308381696451116297295944943316080989956", "115734396422696501703881965738501981506", "117539816710689564457895376510853699701", "174907999354117090166763143319437809499", "63841418663469056891104465294179817172", "226278951419627437239791060782236326012", "57144290942498080497278314675187691415", "294291249857791155796089438124406141944", "6676187597761962266827575857744206726", "277845359819353882831128656289592381607", "332188674809392788061235438211348027992", "12244925195177707402219998115124248782", "14371573940702669578642295716403270786", "33527069975899517067426501402678416668", "98288309644282461078565607248542740762", "225357228333330399650379320798426232389", "329357067270808955607109134920522439021", "90231326960727631371073822777348269933", "172017409234811981036246676321776045885", "61947651977670693095880371723143000154", "216452831304761845070416103803800894320", "176576332023145313246070320348097270531", "12869687358214909485317219873106197369", "114010758058012026204360729466043416633", "180392173072050675894708699977201896479", "108587633537507210242609878158511307392" ] }, "id": "ASB-A-331730488-8b70c54d", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/ca6ddbf971648d2661e3f6f9d3578731bf415ce6", "signature_version": "v1", "signature_type": "Line", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java" } }, { "digest": { "function_hash": "15227724865056872858497255391329434705", "length": 246.0 }, "id": "ASB-A-331730488-bbb82584", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/ca6ddbf971648d2661e3f6f9d3578731bf415ce6", "signature_version": "v1", "signature_type": "Function", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java", "function": "IInputMethodSessionWrapper" } } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/ca6ddbf971648d2661e3f6f9d3578731bf415ce6" ], "spl": "2025-06-01" }
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "172848984163638007286105947422733921543", "847155060487531221374269903456783277", "111993470439390836194117260640431436697", "104750934806643600617597844639565733695", "75158882118009371071361023465821430667", "135871466146989901191426208127471819357", "308381696451116297295944943316080989956", "34927004352094911621456960342404422472", "264010978195772620682918915318109148375", "257405580271605283524176509605242808267", "63841418663469056891104465294179817172", "226278951419627437239791060782236326012", "57144290942498080497278314675187691415", "294291249857791155796089438124406141944", "6676187597761962266827575857744206726", "277845359819353882831128656289592381607", "332188674809392788061235438211348027992", "12244925195177707402219998115124248782", "14371573940702669578642295716403270786", "33527069975899517067426501402678416668", "98288309644282461078565607248542740762", "225357228333330399650379320798426232389", "329357067270808955607109134920522439021", "90231326960727631371073822777348269933", "172017409234811981036246676321776045885", "61947651977670693095880371723143000154", "216452831304761845070416103803800894320", "176576332023145313246070320348097270531", "12869687358214909485317219873106197369", "114010758058012026204360729466043416633", "180392173072050675894708699977201896479", "108587633537507210242609878158511307392" ] }, "id": "ASB-A-331730488-0ff58d6a", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/c65e5458f5a3c06342d177d1ba1cc03c42323a94", "signature_version": "v1", "signature_type": "Line", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java" } }, { "digest": { "function_hash": "15227724865056872858497255391329434705", "length": 246.0 }, "id": "ASB-A-331730488-a7740e8e", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/c65e5458f5a3c06342d177d1ba1cc03c42323a94", "signature_version": "v1", "signature_type": "Function", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java", "function": "IInputMethodSessionWrapper" } }, { "digest": { "function_hash": "61679241690974432802943552968499161217", "length": 537.0 }, "id": "ASB-A-331730488-fb98c4db", "deprecated": false, "source": "https://android.googlesource.com/platform/frameworks/base/+/c65e5458f5a3c06342d177d1ba1cc03c42323a94", "signature_version": "v1", "signature_type": "Function", "target": { "file": "core/java/android/inputmethodservice/IInputMethodSessionWrapper.java", "function": "onInputEvent" } } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/c65e5458f5a3c06342d177d1ba1cc03c42323a94" ], "spl": "2025-06-01" }