CVE-2026-35093: libinput Auth Bypass Vulnerability

CVE-2026-35093 Overview

A code injection vulnerability has been identified in libinput, the input device handling library widely used by Linux graphical compositors. The flaw allows a local attacker to bypass security restrictions by placing specially crafted Lua bytecode files in system or user configuration directories. Successful exploitation enables unauthorized code execution with the same privileges as the application using libinput, potentially allowing an attacker to monitor keyboard input and exfiltrate sensitive data to external locations.

Critical Impact
Attackers can execute arbitrary code and intercept keyboard input, enabling keylogging capabilities that could capture passwords, credentials, and other sensitive information.

Affected Products

libinput (specific affected versions pending vendor confirmation)
Linux graphical compositors utilizing libinput for input handling
Desktop environments and display servers that rely on libinput

Discovery Timeline

2026-04-01 - CVE-2026-35093 published to NVD
2026-04-01 - Last updated in NVD database

Technical Details for CVE-2026-35093

Vulnerability Analysis

This vulnerability stems from improper handling of Lua bytecode files within libinput's configuration processing mechanism. The library processes Lua scripts from configuration directories without adequately validating or restricting the execution of bytecode, creating an opportunity for code injection attacks.

The weakness is classified under CWE-94 (Improper Control of Generation of Code), indicating that the application fails to properly neutralize or restrict code that is dynamically generated or evaluated. An attacker with local access can craft malicious Lua bytecode and place it in directories where libinput searches for configuration files.

Since libinput runs with the permissions of the parent process—typically a graphical compositor like Wayland compositors or X11 display servers—the injected code inherits these elevated privileges. This creates a significant security concern as graphical compositors often have direct access to input devices.

Root Cause

The root cause of this vulnerability is insufficient validation of Lua bytecode files loaded from configuration directories. The libinput library processes these files without properly restricting the capabilities available to the Lua execution environment. By accepting precompiled bytecode rather than just source scripts, the library inadvertently allows attackers to bypass source-level security checks and execute arbitrary operations.

Configuration directories that may be vulnerable include user-level paths such as ~/.config/libinput/ and system-wide paths like /etc/libinput/. Any local user with write access to these directories can potentially exploit this vulnerability.

Attack Vector

The attack requires local access to the target system. An attacker must be able to write files to libinput's configuration directories, either through:

Direct file system access with an unprivileged account that has write permissions to user configuration directories
Exploiting another vulnerability that provides file write capabilities
Social engineering a user to place the malicious file in the appropriate directory

Once the malicious Lua bytecode is in place, it will be executed the next time an application initializes libinput, such as when a user logs into a graphical session. The injected code can then intercept keyboard events, enabling keylogging functionality that captures all user input and potentially transmits it to attacker-controlled infrastructure.

For technical details on the vulnerability mechanism, refer to the GitLab Work Item #1271 and Red Hat Bug Report #2453839.

Detection Methods for CVE-2026-35093

Indicators of Compromise

Unexpected or unauthorized .lua or .luac (compiled Lua bytecode) files in /etc/libinput/, ~/.config/libinput/, or similar configuration directories
Unusual outbound network connections from graphical compositor processes
Unexpected file modifications in libinput configuration directories, particularly files with recent timestamps not associated with legitimate updates
Anomalous process behavior from applications using libinput, including spawning child processes or opening network sockets

Detection Strategies

Implement file integrity monitoring (FIM) on libinput configuration directories to detect unauthorized file additions or modifications
Monitor for suspicious Lua bytecode files using signature-based detection or entropy analysis to identify potentially malicious content
Deploy endpoint detection solutions capable of identifying anomalous behavior patterns from input handling processes
Audit user access to libinput configuration directories and alert on write operations from non-administrative accounts

Monitoring Recommendations

Enable audit logging for file operations in /etc/libinput/ and user-level ~/.config/libinput/ directories
Monitor graphical compositor processes for unexpected network activity or data exfiltration attempts
Implement real-time alerting for new file creation events in input device configuration paths
Review process execution chains to identify any child processes spawned by libinput-consuming applications

How to Mitigate CVE-2026-35093

Immediate Actions Required

Restrict write permissions on libinput configuration directories to root or trusted administrators only
Audit existing libinput configuration directories for any unauthorized or suspicious Lua files
Consider disabling Lua configuration support in libinput if not required for your deployment
Implement application whitelisting to prevent execution of unauthorized Lua bytecode

Patch Information

A security patch addressing this vulnerability is expected from the libinput maintainers. Monitor the following resources for patch availability:

Once patches are released, prioritize updating libinput packages across all affected systems, particularly those running graphical desktop environments.

Workarounds

Remove write permissions for non-root users from libinput configuration directories using: chmod 755 /etc/libinput/ and chown root:root /etc/libinput/
If Lua configuration is not required, consider building libinput without Lua support or removing Lua dependencies
Implement SELinux or AppArmor policies to restrict libinput's ability to execute arbitrary Lua code or establish network connections
Deploy file system access controls (ACLs) to limit which users can modify configuration files in input device directories

bash

# Configuration example
# Restrict permissions on libinput configuration directories
sudo chmod 755 /etc/libinput/
sudo chown root:root /etc/libinput/

# Remove any existing suspicious Lua files (audit first)
sudo find /etc/libinput/ -name "*.lua" -o -name "*.luac" -exec ls -la {} \;

# Set immutable attribute on configuration directory (optional)
sudo chattr +i /etc/libinput/

CVE-2026-35093 Overview

Critical Impact
Attackers can execute arbitrary code and intercept keyboard input, enabling keylogging capabilities that could capture passwords, credentials, and other sensitive information.

Affected Products

libinput (specific affected versions pending vendor confirmation)
Linux graphical compositors utilizing libinput for input handling
Desktop environments and display servers that rely on libinput

Discovery Timeline

2026-04-01 - CVE-2026-35093 published to NVD
2026-04-01 - Last updated in NVD database

Technical Details for CVE-2026-35093

Vulnerability Analysis

Root Cause

Attack Vector

The attack requires local access to the target system. An attacker must be able to write files to libinput's configuration directories, either through:

Direct file system access with an unprivileged account that has write permissions to user configuration directories
Exploiting another vulnerability that provides file write capabilities
Social engineering a user to place the malicious file in the appropriate directory

For technical details on the vulnerability mechanism, refer to the GitLab Work Item #1271 and Red Hat Bug Report #2453839.

Detection Methods for CVE-2026-35093

Indicators of Compromise

Unexpected or unauthorized .lua or .luac (compiled Lua bytecode) files in /etc/libinput/, ~/.config/libinput/, or similar configuration directories
Unusual outbound network connections from graphical compositor processes
Unexpected file modifications in libinput configuration directories, particularly files with recent timestamps not associated with legitimate updates
Anomalous process behavior from applications using libinput, including spawning child processes or opening network sockets

Detection Strategies

Implement file integrity monitoring (FIM) on libinput configuration directories to detect unauthorized file additions or modifications
Monitor for suspicious Lua bytecode files using signature-based detection or entropy analysis to identify potentially malicious content
Deploy endpoint detection solutions capable of identifying anomalous behavior patterns from input handling processes
Audit user access to libinput configuration directories and alert on write operations from non-administrative accounts

Monitoring Recommendations

Enable audit logging for file operations in /etc/libinput/ and user-level ~/.config/libinput/ directories
Monitor graphical compositor processes for unexpected network activity or data exfiltration attempts
Implement real-time alerting for new file creation events in input device configuration paths
Review process execution chains to identify any child processes spawned by libinput-consuming applications

How to Mitigate CVE-2026-35093

Immediate Actions Required

Restrict write permissions on libinput configuration directories to root or trusted administrators only
Audit existing libinput configuration directories for any unauthorized or suspicious Lua files
Consider disabling Lua configuration support in libinput if not required for your deployment
Implement application whitelisting to prevent execution of unauthorized Lua bytecode

Patch Information

A security patch addressing this vulnerability is expected from the libinput maintainers. Monitor the following resources for patch availability:

Once patches are released, prioritize updating libinput packages across all affected systems, particularly those running graphical desktop environments.

Workarounds

Remove write permissions for non-root users from libinput configuration directories using: chmod 755 /etc/libinput/ and chown root:root /etc/libinput/
If Lua configuration is not required, consider building libinput without Lua support or removing Lua dependencies
Implement SELinux or AppArmor policies to restrict libinput's ability to execute arbitrary Lua code or establish network connections
Deploy file system access controls (ACLs) to limit which users can modify configuration files in input device directories

bash

# Configuration example
# Restrict permissions on libinput configuration directories
sudo chmod 755 /etc/libinput/
sudo chown root:root /etc/libinput/

# Remove any existing suspicious Lua files (audit first)
sudo find /etc/libinput/ -name "*.lua" -o -name "*.luac" -exec ls -la {} \;

# Set immutable attribute on configuration directory (optional)
sudo chattr +i /etc/libinput/

CVE-2026-35093: libinput Auth Bypass Vulnerability

CVE-2026-35093 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-35093

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-35093

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-35093

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-35093: libinput Auth Bypass Vulnerability

CVE-2026-35093 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-35093

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-35093

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-35093

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform