This vulnerability arises from a missing permission check in the addInputMethodListener method within com.android.server.inputmethod.InputMethodManagerService on Android XR 14. This improper authorization (CWE-285) allows a local attacker to escalate privileges without needing prior execution privileges or user interaction. The vulnerability is rated critical with a CVSS 4.0 score of 10, indicating high impact on confidentiality, integrity, and availability. No patch or official remediation level has been published by Google as of the data available.

Successful exploitation results in local privilege escalation on affected Android XR 14 devices, potentially allowing an attacker to gain elevated privileges without requiring user interaction or additional execution rights. This could compromise device security and control.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation is currently available, users and administrators should monitor Google's advisories for updates. Until a patch is released, limiting local access to trusted users may reduce risk.