Libinput · Libinput · CVE-2026-35094
Name of the Vulnerable Software and Affected Versions
libinput (affected versions not specified)
Description
A flaw exists in libinput where an attacker who can deploy a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, resulting in a pointer that could be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. Successful exploitation requires Lua plugins to be enabled in libinput and loaded by the compositor.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.