CVE-2026-35093

CWE-94 — Code Injection9 documents8 sources

Severity

8.8HIGH

EPSS

0.0%

top 95.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freedesktop Libinput Fedoraproject Fedora

Timeline

PublishedApr 1

Latest updateApr 2

Description

A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages2 packages

▶NVDfreedesktop/libinput1.30.4 — 1.31.1+1

▶Debianlibinput< 1.31.1-1

Also affects: Fedora 43, 44

🔴Vulnerability Details

OSV

CVE-2026-35093: (A flaw was found in libinput↗2026-04-02

▶

GHSA

GHSA-mr79-hxw4-8vpf: A flaw was found in libinput↗2026-04-01

▶

OSV

CVE-2026-35093: A flaw was found in libinput↗2026-04-01

▶

CVEList

Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins↗2026-04-01

▶

📋Vendor Advisories

Microsoft

Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins↗2026-04-02

▶

Red Hat

libinput: libinput: Unauthorized code execution and information disclosure through Lua bytecode plugins↗2026-04-01

▶

Debian

CVE-2026-35093: libinput - A flaw was found in libinput. A local attacker who can place a specially crafted...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-35093 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶