CVE-2026-35094

Name of the Vulnerable Software and Affected Versions libinput (affected versions not specified)

Description A flaw exists in libinput where an attacker who can deploy a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, resulting in a pointer that could be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. Successful exploitation requires Lua plugins to be enabled in libinput and loaded by the compositor.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.