CVE-2026-35094 Overview
A dangling pointer vulnerability has been identified in libinput that could lead to information disclosure. An attacker with local access who is capable of deploying a Lua plugin file in specific system directories can exploit this flaw. The vulnerability occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used by other processes or operations.
Critical Impact
Potential exposure of sensitive memory contents through system logs when Lua plugins are enabled in libinput and loaded by the compositor.
Affected Products
- libinput (versions with Lua plugin support enabled)
Discovery Timeline
- 2026-04-01 - CVE-2026-35094 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-35094
Vulnerability Analysis
This vulnerability is classified as CWE-825 (Expired Pointer Dereference), commonly known as a dangling pointer or use-after-free class vulnerability. The flaw exists in the Lua plugin handling mechanism within libinput.
When libinput processes Lua plugins, the garbage collection cleanup routine improperly handles memory deallocation. After the cleanup function executes, a pointer reference remains in memory even though the underlying data has been freed. This dangling pointer is subsequently used when logging operations occur, causing the contents of the memory location (which may now contain unrelated data) to be written to system logs.
The vulnerability requires specific conditions to be exploited: Lua plugins must be enabled in libinput, the attacker must have local access to deploy a malicious plugin file in system directories, and the compositor must load the plugin. The local attack vector and requirement for authenticated access significantly limit the exploitability of this vulnerability.
Root Cause
The root cause is improper memory management in the Lua plugin garbage collection handler. When the cleanup function deallocates memory associated with Lua plugin objects, it fails to nullify all references to that memory. The orphaned pointer continues to be accessible and is used in subsequent logging operations, leading to the exposure of whatever data currently resides at that memory address.
Attack Vector
The attack requires local access to the system with the ability to place a specially crafted Lua plugin file in directories monitored by libinput. The attack sequence involves:
- An authenticated local attacker creates a malicious Lua plugin designed to trigger the garbage collection cleanup routine
- The plugin is placed in a libinput plugin directory
- When the compositor loads the plugin and garbage collection runs, the dangling pointer is created
- Subsequent logging operations print the contents of the freed memory location
- Sensitive information that may have been allocated to that memory region gets exposed in system logs
The exploitation is constrained by the need for local authenticated access and specific configuration requirements (Lua plugins enabled and loaded by compositor). No proof-of-concept exploits are currently publicly available.
Detection Methods for CVE-2026-35094
Indicators of Compromise
- Unusual Lua plugin files appearing in libinput plugin directories
- Unexpected memory-related entries in system logs from libinput processes
- New or modified plugin files with suspicious content in /etc/libinput/ or related directories
Detection Strategies
- Monitor file system changes in libinput plugin directories for unauthorized Lua files
- Review system logs for anomalous entries containing memory addresses or unexpected data patterns from libinput
- Implement file integrity monitoring on libinput configuration and plugin directories
Monitoring Recommendations
- Enable audit logging for file creation and modification events in libinput plugin directories
- Configure centralized log collection to detect unusual log entries from libinput processes
- Implement alerts for new Lua plugin deployments outside of normal change management processes
How to Mitigate CVE-2026-35094
Immediate Actions Required
- Review libinput configuration to determine if Lua plugins are enabled
- Disable Lua plugin support in libinput if not required for operations
- Restrict write access to libinput plugin directories to authorized administrators only
- Audit existing Lua plugins for unauthorized or suspicious files
Patch Information
Refer to the official security advisories for patch availability and update instructions:
Workarounds
- Disable Lua plugin support in libinput configuration if the functionality is not required
- Implement strict file system permissions on libinput plugin directories to prevent unauthorized plugin deployment
- Use application whitelisting to control which plugins can be loaded by the compositor
- Consider running libinput with reduced privileges where possible
# Example: Restrict permissions on libinput plugin directories
chmod 750 /etc/libinput/
chown root:root /etc/libinput/
# Disable Lua plugins if not needed (consult documentation for your distribution)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
