CVE-2026-35093
Published: 01 April 2026
Summary
CVE-2026-35093 is a high-severity Code Injection (CWE-94) vulnerability in Freedesktop Libinput. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Lua (T1059.011); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-5 (Access Restrictions for Change).
Deeper analysis
CVE-2026-35093 is a code injection vulnerability (CWE-94) in libinput, a library used for handling input devices in Linux graphical environments. The flaw allows a local attacker to place a specially crafted Lua bytecode file in certain system or user configuration directories, bypassing security restrictions. This enables the execution of unauthorized code with the same permissions as the affected program, such as a graphical compositor that relies on libinput. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for privilege escalation and broad impact.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. By placing the malicious Lua bytecode in accessible configuration paths, the attacker achieves remote code execution in the context of the libinput-using process, such as a compositor. This grants the ability to monitor keyboard input and transmit it to an external location, effectively enabling keylogging and data exfiltration with high confidentiality, integrity, and availability impacts, compounded by the changed scope (S:C).
Red Hat advisories detail the issue at https://access.redhat.com/security/cve/CVE-2026-35093 and https://bugzilla.redhat.com/show_bug.cgi?id=2453839, while the libinput project tracks it via https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271. These resources provide guidance on patches and mitigation steps for affected systems.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17907
Vulnerability details
A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same…
more
permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables Lua bytecode injection for arbitrary code execution (T1059.011) in compositor context, directly facilitating keylogging (T1056.001), data exfiltration to external location (T1041), and privilege escalation (T1068) as described.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the libinput code injection flaw by applying vendor patches that fix improper Lua bytecode loading from configuration directories.
Restricts low-privilege local attackers from placing malicious Lua bytecode files in system configuration directories by authorizing and controlling access to configuration change mechanisms.
Detects unauthorized placement or modification of malicious Lua bytecode in libinput configuration directories through integrity verification of software components and information.