libinput Information Disclosure via Dangling Pointer in Lua Plugin (CVE-2026-35094)

Vulnerability Summary: CVE-2026-35094 (Bug 2583840) Vulnerability Overview Title/ID: Bug 2583840 (CVE-2026-35094) - CVE-2026-35094 Description: A dangling pointer vulnerability exists in libinput when handling Lua plugins. An attacker can deploy a Lua file (in or potentially ), invoke the cleanup function, and leave behind a dangling pointer. This pointer may later be printed to system logs, potentially exposing sensitive data if the memory location is reused. Trigger Conditions: The vulnerability requires Lua plugin support to be enabled in libinput and loaded by the connector. On Fedora 43 and 44, if libinput auto-loads plugins at startup, the directory must be enabled via the file in . Attackers cannot deploy Lua plugins in directories already loaded by libinput. Impact Scope Affected Product: libinput Operating System: Linux Affected Versions: Fedora 43 and 44 (per comment; not affecting current RHEL versions) Severity: Medium Status: NEW Fix/Mitigation No specific patch or version number is provided in the visible content (status is NEW; "Fixed in Version" states "Close Old", indicating old versions are affected, while the new fix may be embargoed or under development). POC/Exploit Code No actual POC code block is included. The description only outlines the attack method—deploying a Lua file and calling —without providing executable code.

Goal Reached Thanks to every supporter — we hit 100%!

libinput Information Disclosure via Dangling Pointer in Lua Plugin (CVE-2026-35094)