Skip to main content

libinput EUVDEUVD-2026-34795

| CVE-2026-50265 HIGH
OS Command Injection (CWE-78)
2026-06-05 redhat GHSA-h66j-7rgr-pmgx
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 11:20 vuln.today
CVE Published
Jun 05, 2026 - 09:49 nvd
HIGH 7.0

DescriptionCVE.org

A flaw was found in libinput. A local attacker with access to /dev/uinput can inject arbitrary udev properties through the libinput-device-group helper. This injection can lead to root code execution, for example, by exploiting REMOVE_CMD properties that are executed when a device is removed. This vulnerability allows an attacker to gain elevated privileges on the system.

AnalysisAI

Local privilege escalation in libinput affects Red Hat Enterprise Linux 7, 8, 9, and 10 by allowing a local attacker with access to /dev/uinput to inject arbitrary udev properties via the libinput-device-group helper. Exploitation can result in root code execution through abuse of udev REMOVE_CMD properties that are run when a device is removed, mapping to CWE-78 (OS Command Injection). No public exploit identified at time of analysis, but the issue is vendor-confirmed by Red Hat.

Technical ContextAI

libinput is the input handling library used by Wayland compositors and X.Org to process events from keyboards, mice, touchpads, and other devices on modern Linux systems. The libinput-device-group helper is a small privileged component used during device enumeration; it communicates with udev, the kernel's userspace device manager, to set per-device properties. /dev/uinput is the kernel's user-mode input device interface, normally restricted but in some configurations accessible to local users or specific groups. CWE-78 (OS Command Injection) applies because udev rules support a REMOVE_CMD property that udev later executes as root when the device is removed - if an attacker can inject this property via the helper, the resulting command runs with root privileges, turning a property-setting bug into arbitrary command execution.

RemediationAI

Patch available per vendor advisory - apply the libinput updates published by Red Hat for the affected RHEL stream as referenced in https://access.redhat.com/security/cve/CVE-2026-50265 and https://bugzilla.redhat.com/show_bug.cgi?id=2485390, and track upstream resolution at https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296; exact fix versions are not in the provided data and must be taken from the live errata. As compensating controls until the package is updated, restrict /dev/uinput so only trusted services can open it by tightening the udev rule that sets its mode (commonly 0660 root:input) to root-only access or to a narrowly scoped service group, with the trade-off that user-space tools needing virtual input (Steam Input, Barrier, accessibility utilities, certain RDP/remote-control agents) will stop working. Audit membership of the input and any custom uinput groups and remove non-essential users, and consider an SELinux or AppArmor policy that confines the libinput-device-group helper and denies it from writing arbitrary udev properties; SELinux already runs in enforcing mode on default RHEL, so confirm libinput-device-group is in a confined domain. Avoid loading the uinput kernel module (modprobe -r uinput, blacklist in /etc/modprobe.d/) on systems that do not require virtual input devices, accepting that this also breaks any legitimate uinput consumer.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected

Share

EUVD-2026-34795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy