CVE-2026-35094
Dangling Pointer in libinput Lua Plugin Causes Information Disclosure
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freedesktop | libinput | * |
| fedoraproject | fedora | 43 |
| fedoraproject | fedora | 44 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-825 | The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in libinput can lead to information disclosure by exposing sensitive data through system logs if exploited. Such exposure of sensitive data may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.
However, the exploit requires specific conditions, including the ability to deploy a Lua plugin in certain system directories and having Lua plugins enabled and loaded by the compositor, which may limit the risk.
Can you explain this vulnerability to me?
This vulnerability is a flaw in libinput related to its handling of Lua plugins. An attacker who can place a malicious Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This happens when a garbage collection cleanup function is called, leaving a pointer that is then printed to system logs. Because the memory location might be reused, this can lead to sensitive information being exposed.
- The attacker must be able to deploy a Lua plugin in directories like /usr/share/libinput/plugins, /etc/libinput/plugins, or XDG_CONFIG_HOME/libinput/plugins.
- Lua plugins must be enabled in libinput and loaded by the compositor for the exploit to work.
- If libinput is compiled with the -Dautoload-plugins flag, plugins are loaded automatically, increasing exposure.
How can this vulnerability impact me? :
This vulnerability can lead to information disclosure by exposing sensitive data through system logs. An attacker exploiting the dangling pointer can cause memory contents to be printed, potentially revealing confidential information stored in memory if that memory is reused.
The impact is limited to information disclosure and does not affect integrity or availability.
The attacker needs local access to place a Lua plugin, so remote exploitation is unlikely.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of Lua plugin files in specific libinput plugin directories and monitoring system logs for suspicious dangling pointer outputs.
- Check for Lua plugin files in the following directories: `/usr/share/libinput/plugins`, `/etc/libinput/plugins`, and `XDG_CONFIG_HOME/libinput/plugins`.
- Use commands like `ls -l /usr/share/libinput/plugins/*.lua` and similarly for the other directories to identify any unexpected or malicious Lua files.
- Monitor system logs (e.g., using `journalctl -xe` or `tail -f /var/log/syslog`) for entries that may indicate dangling pointer outputs related to libinput.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, ensure that Lua plugins are not enabled or loaded by the compositor if not required.
Remove or restrict write permissions to the Lua plugin directories (`/usr/share/libinput/plugins`, `/etc/libinput/plugins`, and `XDG_CONFIG_HOME/libinput/plugins`) to prevent attackers from deploying malicious Lua files.
If possible, update libinput to a version where this vulnerability is fixed or apply any available patches from your distribution.