Skip to main content

libinput EUVDEUVD-2026-34302

| CVE-2026-50292 HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-04 mitre GHSA-jcq8-v68h-2c44
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 04, 2026 - 19:01 EUVD
Analysis Generated
Jun 04, 2026 - 18:04 vuln.today

DescriptionCVE.org

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

AnalysisAI

Local root code execution in libinput versions before 1.30.4 and 1.31.x before 1.31.3 is possible because the libinput-device-group helper fails to escape the 'phys' string returned for an input device, allowing injection of attacker-controlled udev properties that are subsequently evaluated as privileged actions. The flaw, tracked as CWE-93 (CRLF/property injection), enables an unprivileged local user who can attach or simulate a device with a crafted physical-path identifier to escalate to root. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

libinput is the freedesktop.org input-handling library used by Wayland compositors, Xorg (via xf86-input-libinput), and embedded GUI stacks to abstract evdev devices. During device enumeration, udev runs the libinput-device-group helper, which prints a group identifier built partly from the kernel-reported 'phys' attribute (the physical topology path of the device, e.g. 'usb-0000:00:14.0-1/input0'). Because that string was concatenated into udev property output without escaping newlines or property delimiters, a device that supplies a malicious phys value can inject additional KEY=VALUE pairs into the udev environment - a textbook CWE-93 (Improper Neutralization of CRLF Sequences) condition. Injected udev properties such as RUN+= or ENV{IMPORT}= are honored by udevd as root, yielding arbitrary code execution. The affected component is identified by CPE cpe:2.3:a:freedesktop:libinput:*:*:*:*:*:*:*:* across the 1.x branch up to 1.30.3 and 1.31.0-1.31.2.

RemediationAI

Upstream fix available (commit 76f0d8a7f57e2868882864b4611281f12f704b55) and released patched versions are libinput 1.30.4 and 1.31.3 - upgrade to one of these or to the distribution package that backports the fix, as announced on oss-security at https://www.openwall.com/lists/oss-security/2026/06/04/5 and tracked at https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296. Where immediate patching is not possible, restrict the udev rule that invokes libinput-device-group (typically shipped as 60-libinput.rules or 90-libinput.rules under /usr/lib/udev/rules.d/) so that the group helper is not executed for untrusted devices, or temporarily replace the IMPORT{program} call with a wrapper that sanitizes newlines from the helper's output - be aware this will break input grouping for touchpad/touchscreen pairs and may degrade gesture support. On systems where physical access is the threat, disabling hot-plug USB input devices via USBGuard or kernel CONFIG_USB_AUTHORIZED_DEFAULT policy substantially reduces exposure but will block legitimate peripherals until manually authorized.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected

Share

EUVD-2026-34302 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy