libinput: libinput-device-group unescaped phys output can inject udev properties

[Peter Hutterer <peter.hutterer () who-t net>]

=========================================
libinput Security Advisory: June 4, 2026
=========================================

An issue has been found in libinput:

1) libinput-device-group unescaped phys output can inject udev properties
   leading to arbitrary root code execution

libinput uses a udev helper called libinput-device-group. This helper uses a
device's phys sysattr as one element of a udev property value which is printed
as a KEY=VALUE pair and imported as ENV by udev.

A malicious uinput or uhid device that sets a phys sysattr containing \n caused
the output to be interpreted as two separate KEY=VALUE pairs by udev. This could
cause arbitrary execution as root (e.g. by setting the REMOVE_CMD property).

A CVE has been requested for this issue but did not get assigned in time for
this disclosure.

Upstream issue: https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296
Upstream fix: https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55
Versions affected: libinput <= 1.31.2 and <= 1.30.3
Fixed versions: libinput 1.31.3, 1.30.4

Affected distributions/compositors:
-----------------------------------

Affected are libinput versions 1.31.2 and 1.30.3 and all earlier versions.

To exploit this vulnerability an attacker needs to create a malicious uinput or
uhid device. 

uinput is typically restricted to root but may be tagged with uaccess by custom
udev rules. On Fedora, the following packages ship such a rule: steam-devices,
antimicrox and kdeconnectd. If any of these packages are *installed*, uinput
devices can be created by the user logged into a seat.

uhid is typically restricted to root. I am not aware of packages shipping
udev rules that provide uaccess to /dev/uhid.

Acknowledgements
----------------

Many thanks to Csome for reporting this issue.

Attachment: signature.asc
Description: