Skip to main content

Libinput EUVDEUVD-2026-17907

| CVE-2026-35093 HIGH
Code Injection (CWE-94)
2026-04-01 secalert@redhat.com
8.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 14:22 euvd
EUVD-2026-17907
Analysis Generated
Apr 01, 2026 - 14:22 vuln.today
CVE Published
Apr 01, 2026 - 14:16 nvd
HIGH 8.8

DescriptionCVE.org

A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location.

AnalysisAI

Local privilege escalation in libinput allows authenticated users to execute arbitrary code within graphical compositor contexts by placing malicious Lua bytecode in system or user configuration directories. The vulnerability achieves scope change (CVSS:S:C) with high impact across confidentiality, integrity, and availability (8.8 CVSS), enabling attackers to monitor keyboard input including passwords and sensitive data. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.

Technical ContextAI

Libinput is a foundational input device handling library used by Wayland compositors and X.org server implementations on Linux systems. This vulnerability (CWE-94: Improper Control of Generation of Code) stems from libinput's use of Lua scripting for configuration processing without adequate bytecode validation. When libinput loads configuration files from predictable directories, it executes embedded Lua bytecode with the privileges of the calling process-typically a display server or compositor running with elevated capabilities or user session privileges. The scope change indicator (S:C) in the CVSS vector signals that the vulnerability allows escape from libinput's security boundary into the broader compositor security context, effectively turning a configuration loading mechanism into a code execution pathway. The attack requires local access (AV:L) and low-level user privileges (PR:L), but no user interaction (UI:N) and low complexity (AC:L), making it trivially exploitable once local access is achieved.

RemediationAI

Apply vendor-released security updates for libinput as soon as they become available from your Linux distribution. Red Hat users should monitor https://access.redhat.com/security/cve/CVE-2026-35093 for patch release notifications and apply updates through standard yum or dnf update procedures. Users of other distributions should check their security trackers and apply libinput updates when released. Until patches are deployed, implement defense-in-depth controls: restrict write access to libinput configuration directories (typically /etc/libinput/ and ~/.config/libinput/ or similar paths depending on distribution) using filesystem permissions and mandatory access control policies like SELinux or AppArmor. Monitor the upstream fix at https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271 for technical details. In high-security environments, consider temporarily restricting local user account creation and auditing existing accounts with local access until patches are applied. System administrators should review audit logs for unusual file creation in libinput configuration paths as potential indicators of exploitation attempts.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-17907 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy