Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35094

CVE-2026-35094: libinput Information Disclosure Flaw

CVE-2026-35094 is an information disclosure vulnerability in libinput caused by a dangling pointer flaw. Attackers can exploit this to expose sensitive data through system logs. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-35094 Overview

A dangling pointer vulnerability has been identified in libinput that could lead to information disclosure. An attacker with local access who is capable of deploying a Lua plugin file in specific system directories can exploit this flaw. The vulnerability occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used by other processes or operations.

Critical Impact

Potential exposure of sensitive memory contents through system logs when Lua plugins are enabled in libinput and loaded by the compositor.

Affected Products

  • libinput (versions with Lua plugin support enabled)

Discovery Timeline

  • 2026-04-01 - CVE-2026-35094 published to NVD
  • 2026-04-01 - Last updated in NVD database

Technical Details for CVE-2026-35094

Vulnerability Analysis

This vulnerability is classified as CWE-825 (Expired Pointer Dereference), commonly known as a dangling pointer or use-after-free class vulnerability. The flaw exists in the Lua plugin handling mechanism within libinput.

When libinput processes Lua plugins, the garbage collection cleanup routine improperly handles memory deallocation. After the cleanup function executes, a pointer reference remains in memory even though the underlying data has been freed. This dangling pointer is subsequently used when logging operations occur, causing the contents of the memory location (which may now contain unrelated data) to be written to system logs.

The vulnerability requires specific conditions to be exploited: Lua plugins must be enabled in libinput, the attacker must have local access to deploy a malicious plugin file in system directories, and the compositor must load the plugin. The local attack vector and requirement for authenticated access significantly limit the exploitability of this vulnerability.

Root Cause

The root cause is improper memory management in the Lua plugin garbage collection handler. When the cleanup function deallocates memory associated with Lua plugin objects, it fails to nullify all references to that memory. The orphaned pointer continues to be accessible and is used in subsequent logging operations, leading to the exposure of whatever data currently resides at that memory address.

Attack Vector

The attack requires local access to the system with the ability to place a specially crafted Lua plugin file in directories monitored by libinput. The attack sequence involves:

  1. An authenticated local attacker creates a malicious Lua plugin designed to trigger the garbage collection cleanup routine
  2. The plugin is placed in a libinput plugin directory
  3. When the compositor loads the plugin and garbage collection runs, the dangling pointer is created
  4. Subsequent logging operations print the contents of the freed memory location
  5. Sensitive information that may have been allocated to that memory region gets exposed in system logs

The exploitation is constrained by the need for local authenticated access and specific configuration requirements (Lua plugins enabled and loaded by compositor). No proof-of-concept exploits are currently publicly available.

Detection Methods for CVE-2026-35094

Indicators of Compromise

  • Unusual Lua plugin files appearing in libinput plugin directories
  • Unexpected memory-related entries in system logs from libinput processes
  • New or modified plugin files with suspicious content in /etc/libinput/ or related directories

Detection Strategies

  • Monitor file system changes in libinput plugin directories for unauthorized Lua files
  • Review system logs for anomalous entries containing memory addresses or unexpected data patterns from libinput
  • Implement file integrity monitoring on libinput configuration and plugin directories

Monitoring Recommendations

  • Enable audit logging for file creation and modification events in libinput plugin directories
  • Configure centralized log collection to detect unusual log entries from libinput processes
  • Implement alerts for new Lua plugin deployments outside of normal change management processes

How to Mitigate CVE-2026-35094

Immediate Actions Required

  • Review libinput configuration to determine if Lua plugins are enabled
  • Disable Lua plugin support in libinput if not required for operations
  • Restrict write access to libinput plugin directories to authorized administrators only
  • Audit existing Lua plugins for unauthorized or suspicious files

Patch Information

Refer to the official security advisories for patch availability and update instructions:

Workarounds

  • Disable Lua plugin support in libinput configuration if the functionality is not required
  • Implement strict file system permissions on libinput plugin directories to prevent unauthorized plugin deployment
  • Use application whitelisting to control which plugins can be loaded by the compositor
  • Consider running libinput with reduced privileges where possible
bash
# Example: Restrict permissions on libinput plugin directories
chmod 750 /etc/libinput/
chown root:root /etc/libinput/
# Disable Lua plugins if not needed (consult documentation for your distribution)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne