Cyber Resilience

CVE-2026-35093

HighUpdated

Published: 01 April 2026

Published
01 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0018 7.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35093 is a high-severity Code Injection (CWE-94) vulnerability in Freedesktop Libinput. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Lua (T1059.011); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2026-35093 is a code injection vulnerability (CWE-94) in libinput, a library used for handling input devices in Linux graphical environments. The flaw allows a local attacker to place a specially crafted Lua bytecode file in certain system or user configuration directories, bypassing security restrictions. This enables the execution of unauthorized code with the same permissions as the affected program, such as a graphical compositor that relies on libinput. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for privilege escalation and broad impact.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. By placing the malicious Lua bytecode in accessible configuration paths, the attacker achieves remote code execution in the context of the libinput-using process, such as a compositor. This grants the ability to monitor keyboard input and transmit it to an external location, effectively enabling keylogging and data exfiltration with high confidentiality, integrity, and availability impacts, compounded by the changed scope (S:C).

Red Hat advisories detail the issue at https://access.redhat.com/security/cve/CVE-2026-35093 and https://bugzilla.redhat.com/show_bug.cgi?id=2453839, while the libinput project tracks it via https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271. These resources provide guidance on patches and mitigation steps for affected systems.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same…

more

permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.011 Lua Execution
Adversaries may abuse Lua commands and scripts for execution.
T1056.001 Keylogging Collection
Adversaries may log user keystrokes to intercept credentials as the user types them.
T1041 Exfiltration Over C2 Channel Exfiltration
Adversaries may steal data by exfiltrating it over an existing command and control channel.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability enables Lua bytecode injection for arbitrary code execution (T1059.011) in compositor context, directly facilitating keylogging (T1056.001), data exfiltration to external location (T1041), and privilege escalation (T1068) as described.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-50292Same product: Freedesktop Libinput
CVE-2025-25943Shared CWE-94
CVE-2025-33240Shared CWE-94
CVE-2025-64691Shared CWE-94
CVE-2026-26682Shared CWE-94
CVE-2024-7425Shared CWE-94
CVE-2025-21292Shared CWE-94
CVE-2025-63421Shared CWE-94
CVE-2025-24159Shared CWE-94
CVE-2025-33239Shared CWE-94

Affected Assets

freedesktop
libinput
≤ 1.30.3 · 1.30.4 — 1.31.1
fedoraproject
fedora
43, 44

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the libinput code injection flaw by applying vendor patches that fix improper Lua bytecode loading from configuration directories.

prevent

Restricts low-privilege local attackers from placing malicious Lua bytecode files in system configuration directories by authorizing and controlling access to configuration change mechanisms.

detect

Detects unauthorized placement or modification of malicious Lua bytecode in libinput configuration directories through integrity verification of software components and information.

References