CVE-2026-35094

CWE-8258 documents7 sources
Severity
5.5MEDIUM
EPSS
0.0%
top 97.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Fedoraproject Fedora
Timeline
PublishedApr 1
Latest updateApr 2

Description

A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages1 packages

โ–ถDebianlibinput< 1.31.1-1

Also affects: Fedora 43, 44

๐Ÿ”ดVulnerability Details

4
OSV
CVE-2026-35094: (A flaw was found in libinputโ†—2026-04-02
โ–ถ
CVEList
Libinput: libinput: information disclosure via dangling pointer in lua plugin handlingโ†—2026-04-01
โ–ถ
GHSA
GHSA-9pg8-4hvg-h64m: A flaw was found in libinputโ†—2026-04-01
โ–ถ
OSV
CVE-2026-35094: A flaw was found in libinputโ†—2026-04-01
โ–ถ

๐Ÿ“‹Vendor Advisories

2
Red Hat
libinput: libinput: Information disclosure via dangling pointer in Lua plugin handlingโ†—2026-04-01
โ–ถ
Debian
CVE-2026-35094: libinput - A flaw was found in libinput. An attacker capable of deploying a Lua plugin file...โ†—2026
โ–ถ

๐Ÿ•ต๏ธThreat Intelligence

1
Wiz
CVE-2026-35094 Impact, Exploitability, and Mitigation Steps | Wizโ†—
โ–ถ