Cyber Resilience

CVE-2026-50292

HighUpdated

Published: 04 June 2026

Published
04 June 2026
Modified
17 June 2026
KEV Added
Patch
04 June 2026
CVSS Score v3.1 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0050 39.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-50292 is a high-severity CRLF Injection (CWE-93) vulnerability in Freedesktop Libinput. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Unescaped phys output injection in libinput directly enables local arbitrary root code execution via udev property manipulation, mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35093Same product: Freedesktop Libinput
CVE-2026-39983Shared CWE-93
CVE-2026-39849Shared CWE-93
CVE-2026-1714Shared CWE-93
CVE-2026-8788Shared CWE-93
CVE-2026-6351Shared CWE-93
CVE-2026-39958Shared CWE-93
CVE-2026-41230Shared CWE-93
CVE-2025-28357Shared CWE-93
CVE-2026-34975Shared CWE-93

Affected Assets

freedesktop
libinput
≤ 1.30.4 · 1.31.0 — 1.31.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References