{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35093", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-01T12:56:18.939Z", "datePublished": "2026-04-01T13:54:00.189Z", "dateUpdated": "2026-04-03T13:56:05.343Z"}, "containers": {"cna": {"title": "Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-35093", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453839", "name": "RHBZ#2453839", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271"}], "datePublic": "2026-04-01T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "timeline": [{"lang": "en", "time": "2026-04-01T13:31:20.352Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-01T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-02T06:31:23.875Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35093", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T13:46:32.320920Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:56:05.343Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35093", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T13:46:32.320920Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:49:57.591Z"}}], "cna": {"title": "Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins", "credits": [{"lang": "en", "value": "Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "packageName": "libinput", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "libinput", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "libinput", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "libinput", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-01T13:31:20.352Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-01T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-04-01T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-35093", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453839", "name": "RHBZ#2453839", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271"}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-02T06:31:23.875Z"}, "x_redhatCweChain": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}}, "cveMetadata": {"cveId": "CVE-2026-35093", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:56:05.343Z", "dateReserved": "2026-04-01T12:56:18.939Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-01T13:54:00.189Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freedesktop:libinput:*:*:*:*:*:*:*:*", "matchCriteriaId": "3829AD08-1AAF-42AA-8CA8-A9053797F35C", "versionEndExcluding": "1.30.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:freedesktop:libinput:*:*:*:*:*:*:*:*", "matchCriteriaId": "A122E860-3D8E-4A07-9460-B636AA4BFC7A", "versionEndExcluding": "1.31.1", "versionStartIncluding": "1.30.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:43:*:*:*:*:*:*:*", "matchCriteriaId": "E1D1BBE5-0886-4D95-9862-16A4C316F70A", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:44:*:*:*:*:*:*:*", "matchCriteriaId": "DD1E6B15-C7BF-47E1-8034-501385D7B7DD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location."}], "id": "CVE-2026-35093", "lastModified": "2026-04-07T20:31:19.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2026-04-01T14:16:57.443", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2026-35093"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453839"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue.", "bugzilla": {"description": "libinput: libinput: Unauthorized code execution and information disclosure through Lua bytecode plugins", "id": "2453839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453839"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-94", "details": ["A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location."], "name": "CVE-2026-35093", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35093\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35093\nhttps://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271"], "statement": "This Important flaw in libinput allows a local attacker to achieve unauthorized code execution and information disclosure. Exploitation requires the attacker to place a specially crafted Lua bytecode file in a system or user configuration directory, and for Lua plugins to be enabled and loaded by the graphical compositor.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Enterprise Linux 10", "source": "cna", "vendor": "Red Hat"}, "product": "enterprise_linux", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-07T22:37:28.577153+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011issued patch by updating Libinput to the latest released version on Red\u00a0Hat systems using yum/dnf, or on Fedora using dnf.", "If the update cannot be performed immediately, restrict write access to directories from which Libinput loads Lua plugins (for example, /usr/share/libinput/lua) so that only privileged users can modify them.", "Review the Libinput configuration directories for the presence of suspicious Lua bytecode files, remove any that are not legitimate, and monitor these directories for unauthorized changes."], "summary": {"action": "Apply Patch", "impact": "Local Code Execution and Information Disclosure"}, "threat_synthesis": {"affected_systems": "Red\u00a0Hat Enterprise\u00a0Linux 7,\u202f8,\u202f9,\u202f10 and Fedora 43 and 44 are affected because the Libinput package bundled with these distributions contains the vulnerable code. No specific package versions are listed, so any system running the packaged Libinput without the available remediation is susceptible.", "description_and_impact": "A flaw in Libinput allows a local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories to bypass security restrictions. The attacker can then run arbitrary code with the same permissions as the program using Libinput, such as a graphical compositor. This can enable the attacker to monitor keyboard input and send the captured data to an external location. The vulnerability reflects CWE\u201194, a form of malicious code injection that leads to unintended code execution.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity. An EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is local: the attacker must have write access to a directory where Libinput loads Lua plugins. Once such a file is in place, the compromise occurs immediately with the privileges of the Libinput\u2011using process."}}}}, "created": "2026-04-02T07:49:08.206068+00:00", "updated": "2026-04-08T19:57:09.117365+00:00", "vendors": ["redhat", "redhat$PRODUCT$enterprise_linux"]}