CVE-2026-50292
libinput udev Property Injection Leading to Root Code Execution
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libinput | libinput | to 1.30.4 (exc) |
| libinput | libinput | From 1.31.0 (inc) to 1.31.3 (exc) |
| libinput | libinput | to 1.30.4|end_excluding=1.31.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in libinput versions before 1.30.4 and 1.31.3, specifically in the libinput-device-group helper. The issue is that the phys sysattr value is not properly escaped, allowing an attacker to inject udev properties by including newline characters in the phys attribute.
By exploiting this, an attacker can cause arbitrary root code execution, for example by setting the REMOVE_CMD property in udev.
To exploit this vulnerability, an attacker needs to create a malicious uinput or uhid device. Access to uinput may be available to non-root users if certain packages like steam-devices, antimicrox, or kdeconnectd are installed.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary root code execution on affected systems, which means an attacker could gain full control over the system with root privileges.
Such control could allow the attacker to modify system files, install malware, disrupt services, or steal sensitive information.
The vulnerability requires local access to create a malicious device, but if exploited, it poses a high risk due to the elevated privileges obtained.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the installed version of libinput on your system to see if it is affected (versions 1.31.2 and earlier, or 1.30.3 and earlier). Additionally, you can inspect if any malicious uinput or uhid devices have been created, as the vulnerability involves injection via the phys sysattr value.
- Check libinput version: `libinput --version` or `dpkg -l | grep libinput`
- Look for suspicious uinput or uhid devices: `ls -l /dev/uinput` and `ls -l /dev/uhid`
- Check udev properties related to phys attribute for unexpected newline characters or injected commands.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade libinput to a fixed version, specifically version 1.31.3 or later, or 1.30.4 or later. This update addresses the improper escaping of the phys sysattr value and prevents arbitrary root code execution.
Additionally, restrict access to uinput devices to trusted users only, as the vulnerability requires an attacker to create malicious uinput or uhid devices.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.