CVE-2026-50265
libinput udev Property Injection Leading to Root Code Execution
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libinput | libinput | to 2026-06-05 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-50265 is a security flaw in libinput that allows a local attacker with access to /dev/uinput to inject arbitrary udev properties through the libinput-device-group helper.
This injection can lead to root code execution by exploiting REMOVE_CMD properties, which are executed when a device is removed.
REMOVE_CMD is part of the default udev rules present on most systems, making this vulnerability potentially very impactful.
How can this vulnerability impact me? :
This vulnerability allows an attacker with local access to gain elevated privileges, potentially achieving root code execution on affected systems.
Such privilege escalation can compromise the entire system's security, allowing unauthorized control over system resources and data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a local attacker with access to /dev/uinput injecting arbitrary udev properties via the libinput-device-group helper. Detection involves checking for unusual or unauthorized udev property injections or suspicious REMOVE_CMD executions triggered by device removal.
You can inspect udev rules and monitor udev events for suspicious REMOVE_CMD executions. Additionally, checking access permissions and usage logs of /dev/uinput may help identify unauthorized access.
- Use the command `udevadm monitor` to observe udev events in real time and look for unexpected REMOVE_CMD executions.
- Check the permissions and recent access to /dev/uinput with `ls -l /dev/uinput` and `auditctl` or `ausearch` if auditd is enabled.
- Review udev rules files, typically located in `/etc/udev/rules.d/` and `/lib/udev/rules.d/`, for any suspicious or unauthorized modifications involving REMOVE_CMD.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to /dev/uinput to trusted users only, as the vulnerability requires local access to this device.
Review and harden udev rules to prevent execution of arbitrary commands via REMOVE_CMD properties.
Apply any available patches or updates to libinput as provided by your Linux distribution or vendor to fix this vulnerability.
Monitor system logs and udev events for suspicious activity related to device removal and udev property injections.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a local attacker to gain elevated privileges on the system, potentially leading to root code execution.
Such unauthorized privilege escalation and potential system compromise can lead to unauthorized access to sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA.
Organizations relying on affected libinput versions must address this vulnerability promptly to maintain compliance with security requirements mandated by these standards.