Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-35093— Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins

CVSS 8.8 · High EPSS 0.02% · P6
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-35093

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
libinput 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
libinput是freedesktop开源的一个库,它为显示服务器和其他需要处理内核提供的输入设备的应用程序提供完整的输入堆栈。 libinput存在代码注入漏洞,该漏洞源于本地攻击者可在特定配置目录放置特制Lua字节码文件以绕过安全限制,可能导致运行未授权代码并监控键盘输入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Red HatRed Hat Enterprise Linux 10-cpe:/o:redhat:enterprise_linux:10
Red HatRed Hat Enterprise Linux 7-cpe:/o:redhat:enterprise_linux:7
Red HatRed Hat Enterprise Linux 8-cpe:/o:redhat:enterprise_linux:8
Red HatRed Hat Enterprise Linux 9-cpe:/o:redhat:enterprise_linux:9

II. Public POCs for CVE-2026-35093

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-35093

登录查看更多情报信息。

Same Patch Batch · Red Hat · 2026-04-01 · 4 CVEs total

CVE-2026-350918.2 HIGHCorosync: corosync: denial of service and information disclosure via crafted udp packet
CVE-2026-350927.5 HIGHCorosync: corosync: denial of service via integer overflow in join message validation
CVE-2026-350943.3 LOWLibinput: libinput: information disclosure via dangling pointer in lua plugin handling

IV. Related Vulnerabilities

Same product: Red Hat Enterprise Linux 10
Same vendor: Red Hat
Same weakness: CWE-94

V. Comments for CVE-2026-35093

No comments yet

Leave a comment