CVE-2026-50292
Analyzed Analyzed - Analysis Complete

libinput udev Property Injection Leading to Root Code Execution

Vulnerability report for CVE-2026-50292, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-04

Last updated on: 2026-06-05

Assigner: MITRE

Description

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-04
Last Modified
2026-06-05
Generated
2026-07-15
AI Q&A
2026-06-04
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
freedesktop libinput to 1.30.4 (exc)
freedesktop libinput From 1.31.0 (inc) to 1.31.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in libinput versions before 1.30.4 and 1.31.3, specifically in the libinput-device-group helper. The issue is that the phys sysattr value is not properly escaped, allowing an attacker to inject udev properties by including newline characters in the phys attribute.

By exploiting this, an attacker can cause arbitrary root code execution, for example by setting the REMOVE_CMD property in udev.

To exploit this vulnerability, an attacker needs to create a malicious uinput or uhid device. Access to uinput may be available to non-root users if certain packages like steam-devices, antimicrox, or kdeconnectd are installed.

Impact Analysis

This vulnerability can lead to arbitrary root code execution on affected systems, which means an attacker could gain full control over the system with root privileges.

Such control could allow the attacker to modify system files, install malware, disrupt services, or steal sensitive information.

The vulnerability requires local access to create a malicious device, but if exploited, it poses a high risk due to the elevated privileges obtained.

Detection Guidance

This vulnerability can be detected by checking the installed version of libinput on your system to see if it is affected (versions 1.31.2 and earlier, or 1.30.3 and earlier). Additionally, you can inspect if any malicious uinput or uhid devices have been created, as the vulnerability involves injection via the phys sysattr value.

  • Check libinput version: `libinput --version` or `dpkg -l | grep libinput`
  • Look for suspicious uinput or uhid devices: `ls -l /dev/uinput` and `ls -l /dev/uhid`
  • Check udev properties related to phys attribute for unexpected newline characters or injected commands.
Mitigation Strategies

The immediate mitigation step is to upgrade libinput to a fixed version, specifically version 1.31.3 or later, or 1.30.4 or later. This update addresses the improper escaping of the phys sysattr value and prevents arbitrary root code execution.

Additionally, restrict access to uinput devices to trusted users only, as the vulnerability requires an attacker to create malicious uinput or uhid devices.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50292. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart