Compliance Impact

This vulnerability allows an attacker to monitor keyboard input and send that information to an external location, potentially leading to unauthorized disclosure of sensitive data.

Such unauthorized access and exfiltration of sensitive information could result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive data against unauthorized access and breaches.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35093 is a high-severity vulnerability in libinput that allows a local attacker to bypass security restrictions by placing a specially crafted Lua bytecode file in certain system or user configuration directories.

Libinput does not verify Lua bytecode at runtime, which means that if a malicious Lua plugin is placed in directories such as {/usr/share,/etc}/libinput/plugins or XDG_CONFIG_HOME/libinput/plugins, it will be loaded automatically by the compositor or other programs using libinput.

This allows the attacker to execute unauthorized code with the same permissions as the program using libinput, potentially enabling them to monitor keyboard input and send that information to an external location.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker to execute arbitrary code with the privileges of the program using libinput, such as a graphical compositor.

An attacker exploiting this flaw can monitor all keyboard events, potentially capturing sensitive information like passwords or personal data, and exfiltrate this information to an external location.

Since the attacker gains the same permissions as the compromised process, they could also perform other malicious actions within that security context.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of Lua bytecode files in the specific plugin directories used by libinput, as these files can be used to exploit the flaw.

• Check for Lua bytecode files in system directories: /usr/share/libinput/plugins and /etc/libinput/plugins.
• Check for Lua bytecode files in user configuration directories: $XDG_CONFIG_HOME/libinput/plugins (commonly ~/.config/libinput/plugins).
• Use commands like: find /usr/share/libinput/plugins /etc/libinput/plugins $XDG_CONFIG_HOME/libinput/plugins -type f -name '*.luac' to locate Lua bytecode files.
• Verify if the compositor in use loads Lua plugins and if libinput is compiled with the -Dautoload-plugins flag, as this affects whether plugins are automatically loaded.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include preventing attackers from placing Lua bytecode files in the plugin directories and disabling Lua plugin loading if possible.

• Restrict write permissions on /usr/share/libinput/plugins, /etc/libinput/plugins, and $XDG_CONFIG_HOME/libinput/plugins directories to trusted users only.
• If feasible, disable Lua plugin support in libinput or the compositor to prevent loading of potentially malicious plugins.
• Update libinput and the compositor to versions that have patched this vulnerability once available.
• Monitor for unusual keyboard input monitoring or unexpected network activity that could indicate exploitation.

Useful 0 Not Useful 0