CVE-2026-50292
Analyzed Analyzed - Analysis Complete
libinput udev Property Injection Leading to Root Code Execution

Publication date: 2026-06-04

Last updated on: 2026-06-05

Assigner: MITRE

Description
In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-50292
EUVD
EUVD-2026-34302
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
freedesktop libinput to 1.30.4 (exc)
freedesktop libinput From 1.31.0 (inc) to 1.31.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in libinput versions before 1.30.4 and 1.31.3, specifically in the libinput-device-group helper. The issue is that the phys sysattr value is not properly escaped, allowing an attacker to inject udev properties by including newline characters in the phys attribute.

By exploiting this, an attacker can cause arbitrary root code execution, for example by setting the REMOVE_CMD property in udev.

To exploit this vulnerability, an attacker needs to create a malicious uinput or uhid device. Access to uinput may be available to non-root users if certain packages like steam-devices, antimicrox, or kdeconnectd are installed.

Impact Analysis

This vulnerability can lead to arbitrary root code execution on affected systems, which means an attacker could gain full control over the system with root privileges.

Such control could allow the attacker to modify system files, install malware, disrupt services, or steal sensitive information.

The vulnerability requires local access to create a malicious device, but if exploited, it poses a high risk due to the elevated privileges obtained.

Detection Guidance

This vulnerability can be detected by checking the installed version of libinput on your system to see if it is affected (versions 1.31.2 and earlier, or 1.30.3 and earlier). Additionally, you can inspect if any malicious uinput or uhid devices have been created, as the vulnerability involves injection via the phys sysattr value.

  • Check libinput version: `libinput --version` or `dpkg -l | grep libinput`
  • Look for suspicious uinput or uhid devices: `ls -l /dev/uinput` and `ls -l /dev/uhid`
  • Check udev properties related to phys attribute for unexpected newline characters or injected commands.
Mitigation Strategies

The immediate mitigation step is to upgrade libinput to a fixed version, specifically version 1.31.3 or later, or 1.30.4 or later. This update addresses the improper escaping of the phys sysattr value and prevents arbitrary root code execution.

Additionally, restrict access to uinput devices to trusted users only, as the vulnerability requires an attacker to create malicious uinput or uhid devices.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50292. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart