Platform
linux
Component
libinput
CVE-2026-35093 describes an information disclosure vulnerability within libinput, a library for handling input devices on Linux systems. A malicious actor with local access can exploit this flaw by placing a specially crafted Lua bytecode file in specific system or user configuration directories. This bypasses security restrictions, allowing unauthorized code execution with the same privileges as the program utilizing libinput, such as a graphical compositor, potentially leading to sensitive data exposure.
The primary impact of CVE-2026-35093 is the potential for a local attacker to monitor keyboard input and exfiltrate that data to an external location. This could expose sensitive information such as passwords, credit card numbers, or confidential documents. The attacker's ability to execute arbitrary code with the privileges of the affected process (e.g., a graphical compositor) significantly expands the attack surface. Successful exploitation could lead to complete system compromise if the compositor has elevated privileges. While the vulnerability requires local access, the widespread use of libinput across various Linux distributions and desktop environments increases the potential blast radius.
CVE-2026-35093 was published on 2026-04-01. The vulnerability's impact stems from the ability to execute arbitrary code within a privileged process, similar to vulnerabilities that exploit scripting engine flaws. As of the publication date, there are no known public proof-of-concept exploits. The EPSS score is pending evaluation, but the potential for privilege escalation suggests a medium to high probability of exploitation if a suitable exploit is developed and becomes publicly available.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35093 is to upgrade to a patched version of libinput as soon as it becomes available from your distribution vendor. In the interim, restrict access to system and user configuration directories where Lua bytecode files can be placed. Implement strict file access controls to prevent unauthorized modification of these directories. Consider using a security scanner to detect the presence of suspicious Lua bytecode files. Monitor system logs for any unusual Lua execution activity. While a WAF is not directly applicable, restricting network access to the affected system can limit the potential for data exfiltration.
Update libinput to the latest version available provided by your Linux distribution. This will mitigate the vulnerability by correcting the way libinput handles Lua bytecode files, preventing the execution of unauthorized code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35093 is a HIGH severity vulnerability in libinput affecting Linux systems. A local attacker can bypass security restrictions by placing crafted Lua bytecode, potentially monitoring keyboard input.
If you are running libinput on a Linux system, you may be affected. Check with your distribution vendor for patch availability and apply it promptly.
The recommended fix is to upgrade to a patched version of libinput provided by your Linux distribution vendor. Restrict file access to configuration directories as an interim measure.
As of the publication date, there are no confirmed reports of active exploitation, but the potential for privilege escalation warrants caution.
Refer to your Linux distribution's security advisories for information specific to your system. The libinput project's website may also contain updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.