Skip to main content

Libinput CVE-2026-35094

| EUVDEUVD-2026-17909 LOW
Expired Pointer Dereference (CWE-825)
2026-04-01 secalert@redhat.com
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 14:22 euvd
EUVD-2026-17909
Analysis Generated
Apr 01, 2026 - 14:22 vuln.today
CVE Published
Apr 01, 2026 - 14:16 nvd
LOW 3.3

DescriptionCVE.org

A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor.

AnalysisAI

Libinput versions prior to 1.26.0 contain a dangling pointer vulnerability in Lua plugin garbage collection that allows local authenticated attackers to read sensitive data from system logs, requiring the ability to deploy malicious Lua plugin files to system directories and Lua plugin support to be enabled in the compositor. The vulnerability has a CVSS score of 3.3 (low severity) with confirmed patch availability, and poses minimal real-world risk due to high prerequisites including local file write access and plugin enablement.

Technical ContextAI

Libinput is an input device handling library for X.Org and Wayland compositors. The vulnerability stems from improper memory management in the Lua plugin subsystem, specifically in a garbage collection cleanup function (CWE-825: Expired Pointer Dereference). When Lua plugins are loaded by the compositor, a cleanup handler fails to properly invalidate a pointer after freeing the associated memory, creating a dangling pointer. Upon subsequent garbage collection cycles, this pointer may be dereferenced and its contents written to system logs. The vulnerability is present in CPE libinput versions before 1.26.0, and exploitability depends on Lua plugin framework being compiled into and enabled within the target system's compositor configuration.

RemediationAI

Upgrade libinput to version 1.26.0 or later. This patched release includes corrections to the garbage collection cleanup function to properly invalidate dangling pointers before memory deallocation. Users unable to immediately upgrade should disable Lua plugin support in their compositor configuration if not required for intended functionality, which eliminates the attack surface entirely. Verify that system directories (/etc/libinput, /usr/local/share/libinput, and similar paths depending on distribution) do not contain untrusted or unexpected Lua plugin files (.lua), as deploying a malicious plugin is a prerequisite for exploitation. Refer to Red Hat's security advisory at https://access.redhat.com/security/cve/CVE-2026-35094 and the Bugzilla report at https://bugzilla.redhat.com/show_bug.cgi?id=2453840 for distribution-specific patch availability and deployment guidance.

Share

CVE-2026-35094 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy