Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <ac3FMrUy3x5rrDTl@quokka>
Date: Thu, 2 Apr 2026 11:24:57 +1000
From: Peter Hutterer <peter.hutterer@...-t.net>
To: oss-security@...ts.openwall.com
Subject: FW: libinput Security Advisory: multiple security issues in libinput

=========================================
libinput Security Advisory: April 2, 2026
=========================================

Multiple issues have been found in libinput:

1) CVE-2026-35093: Sandbox escape in libinput plugins

The libinput plugin system provides a sandbox to any Lua plugins to restrict
them from any IO other than log messages. However, a bug in the plugin system
loader allowed for precompiled byte-code to be loaded. This bytecode is not
verified at runtime and thus not restricted by the sandbox. This allows a
plugin to do basically anything Lua allows, at the process' privilege level. An
attacker that manages to deploy such a Lua plugin may thus have unrestricted
access to the machine (depending on user privileges).

Upstream issue: https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271
Upstream fix: https://gitlab.freedesktop.org/libinput/libinput/-/commit/356c498fd4ba25ec99f6866fc96847ec3d1f16bf
Versions affected: libinput 1.31.0, libinput 1.30.[0-2]
Fixed versions: libinput 1.31.1, libinput 1.30.3

2) CVE-2026-35094: Use after free allowing information leak in libinput plugins

This issue is less severe: a plugin that called Lua's __gc() function
left a dangling pointer in the device's name which could be printed to the log.
Depending on the value at the memory location, this could lead to sensitive
information being exposed.

Upstream issue: https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272
Upstream fix: https://gitlab.freedesktop.org/libinput/libinput/-/commit/45dfd0f0301af855f068df27b2e40cc9f5713acd
Versions affected: libinput 1.31.0, libinput 1.30.[0-2]
Fixed versions: libinput 1.31.1, libinput 1.30.3

As noted above, updated libinput packages that fix these issues have been
released.

Affected distributions/compositors:
-----------------------------------

Affected is any distribution with libinput 1.30.0 and newer, however lua
plugins are only loaded if the compositor (or another caller) loads plugins.
This is currently the case for GNOME 50's mutter, KWin (git) and Niri (git).
wlroots, sway and river are not affected.

Distributions affected: Fedora 43 and Fedora 44.
Fedora enables the -Dautoload-plugins meson option which causes plugins to be
loaded regardless of compositor support. Arch, OpenSuSE, Ubuntu, Debian and
NixOS do not set this flag and/or are on older versions of libinput.

This is not an exhaustive list of distributions or compositors. There are a
number of utilities that use libinput and may be affected by this, in
particular those run as root.

Acknowledgements
----------------

Many thanks to Koen Tange for reporting this issue.

Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.