Android Input Method Framework Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Android Input Method Framework, specifically within the InputMethodInfo component. This issue arises from a possible resource exhaustion, leading to a local denial-of-service condition. The vulnerability does not require any additional execution privileges and can be exploited without user interaction.

Impact

Exploitation of this vulnerability causes a local denial-of-service condition, where the input method manager runs out of memory while processing excessively large metadata from input method XML files.

Reproduction

The vulnerability can be reproduced by creating a malicious input method that includes an extremely large amount of metadata in its input method XML. When this input method is loaded, the Input Method Manager (IMM) will exhaust system resources, leading to a denial-of-service condition.

Remediation

Users can update to the December 2025 security patch level to address this vulnerability.