FW: libinput Security Advisory: multiple security issues in libinput

[Peter Hutterer <peter.hutterer () who-t net>]

=========================================
libinput Security Advisory: April 2, 2026
=========================================

Multiple issues have been found in libinput:

1) CVE-2026-35093: Sandbox escape in libinput plugins

The libinput plugin system provides a sandbox to any Lua plugins to restrict
them from any IO other than log messages. However, a bug in the plugin system
loader allowed for precompiled byte-code to be loaded. This bytecode is not
verified at runtime and thus not restricted by the sandbox. This allows a
plugin to do basically anything Lua allows, at the process' privilege level. An
attacker that manages to deploy such a Lua plugin may thus have unrestricted
access to the machine (depending on user privileges).

Upstream issue: https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271
Upstream fix: https://gitlab.freedesktop.org/libinput/libinput/-/commit/356c498fd4ba25ec99f6866fc96847ec3d1f16bf
Versions affected: libinput 1.31.0, libinput 1.30.[0-2]
Fixed versions: libinput 1.31.1, libinput 1.30.3

2) CVE-2026-35094: Use after free allowing information leak in libinput plugins

This issue is less severe: a plugin that called Lua's __gc() function
left a dangling pointer in the device's name which could be printed to the log.
Depending on the value at the memory location, this could lead to sensitive
information being exposed.

Upstream issue: https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272
Upstream fix: https://gitlab.freedesktop.org/libinput/libinput/-/commit/45dfd0f0301af855f068df27b2e40cc9f5713acd
Versions affected: libinput 1.31.0, libinput 1.30.[0-2]
Fixed versions: libinput 1.31.1, libinput 1.30.3

As noted above, updated libinput packages that fix these issues have been
released.

Affected distributions/compositors:
-----------------------------------

Affected is any distribution with libinput 1.30.0 and newer, however lua
plugins are only loaded if the compositor (or another caller) loads plugins.
This is currently the case for GNOME 50's mutter, KWin (git) and Niri (git).
wlroots, sway and river are not affected.

Distributions affected: Fedora 43 and Fedora 44.
Fedora enables the -Dautoload-plugins meson option which causes plugins to be
loaded regardless of compositor support. Arch, OpenSuSE, Ubuntu, Debian and
NixOS do not set this flag and/or are on older versions of libinput.

This is not an exhaustive list of distributions or compositors. There are a
number of utilities that use libinput and may be affected by this, in
particular those run as root.

Acknowledgements
----------------

Many thanks to Koen Tange for reporting this issue.

Attachment: signature.asc
Description: