Lukas Lamster

**Name of the Vulnerable Software and Affected Versions** libinput version 1.20.1 **Description** A format string vulnerability was found in libinput, related to the use of uncontrolled format strings in the evdev log msg function. This vulnerability can be exploited to execute arbitrary code with elevated privileges, particularly when the X-server is run with root privileges. The issue affects environments based on X.Org and Wayland and can be exploited through local device connections or manipulations with Bluetooth devices. **Recommendations** For libinput version 1.20.1, consider updating to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the evdev log msg function to minimize the risk of exploitation. Avoid using the `evdev log msg` function in the affected API endpoints until the issue is resolved.