CVE-2026-21054 in InputSharinginfo

Summary

by MITRE • 07/10/2026

Improper export of android application components in InputSharing prior to version 2.7.01.4 allows local attackers to access sharing data.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability described represents a critical security flaw in the InputSharing component of Android applications where improper export of application components creates unauthorized access pathways for local attackers. This issue specifically affects versions prior to 2.7.01.4 and stems from inadequate component exposure controls within the application's manifest file, allowing malicious local processes to interact with sensitive sharing data through exported components that should remain private to the application.

The technical root cause of this vulnerability aligns with CWE-922, which addresses insufficient export restrictions on Android components, and represents a classic case of insecure component exposure. When application components such as activities, services, or broadcast receivers are improperly exported in the AndroidManifest.xml file, they become accessible to other applications running on the same device without proper authentication or authorization mechanisms. This creates an attack surface where local adversaries can exploit these exported interfaces to access sensitive data that should remain protected within the application's secure boundaries.

From an operational impact perspective, this vulnerability enables local attackers to potentially access, modify, or exfiltrate sharing data through unauthorized component interactions. The implications extend beyond simple data exposure as attackers could manipulate the sharing functionality to inject malicious content, disrupt normal operations, or establish persistent access points within the application ecosystem. The attack vector is particularly concerning because it requires no network connectivity and operates entirely within the device's local environment, making detection more challenging.

The vulnerability demonstrates weaknesses in the principle of least privilege implementation where components are exported with overly permissive access controls. Attackers can leverage this flaw to perform unauthorized data access operations against the sharing functionality, potentially compromising user privacy and application integrity. The impact is amplified when considering that Android applications often handle sensitive user information, making this vulnerability particularly dangerous in contexts involving personal data sharing or enterprise communication systems.

Security mitigations for this vulnerability involve proper component export management through careful review of AndroidManifest.xml files to ensure only necessary components are exported with appropriate permissions. Organizations should implement strict access control policies using android:exported attributes with explicit permission requirements for any exported components. Additionally, regular security audits of application manifests and implementation of automated scanning tools can help identify similar exposure issues before they can be exploited. The remediation process requires comprehensive testing to ensure that legitimate functionality remains intact while unauthorized access pathways are eliminated.

This vulnerability type falls under the ATT&CK technique T1068 which covers 'Exploitation for Privilege Escalation' and specifically relates to Android-specific attack patterns involving component manipulation and local privilege escalation. The issue also connects to broader mobile security concerns including proper application sandboxing and component isolation principles that are fundamental to Android security architecture. Organizations should prioritize updating to version 2.7.01.4 or later where this vulnerability has been addressed through proper export controls and enhanced access restriction mechanisms.

Responsible

SamsungMobile

Reservation

12/11/2025

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!