Libinput has disclosed two critical security vulnerabilities (CVE-2026-35093 and CVE-2026-35094) in its Lua plug-in system that allow sandbox escape and use-after-free attacks. These flaws enable unrestricted system access through malicious plug-ins, affecting both X.Org and Wayland Linux desktops. Security patches have been released in libinput versions 1.31.1 and 1.30.3 to address these issues.
Background
Libinput is the standard input handling library for Linux systems, used by both X.Org and Wayland compositors to process keyboard, mouse, and touchpad events. The Lua plug-in system was introduced in libinput 1.30 to allow custom modification of input devices and events.
- Source
- Lobsters
- Published
- Apr 2, 2026 at 02:01 PM
- Score
- 8.0 / 10