2453840 – (CVE-2026-35094) CVE-2026-35094 libinput: libinput: Information disclosure via dangling pointer in Lua plugin handling

Bug 2453840 (CVE-2026-35094) - CVE-2026-35094 libinput: libinput: Information disclosure via dangling pointer in Lua plugin handling

Summary: CVE-2026-35094 libinput: libinput: Information disclosure via dangling pointe...

Keywords:
Status:	NEW
Alias:	CVE-2026-35094
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-01 13:37 UTC by OSIDB Bzimport
Modified:	2026-04-01 23:45 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-01 13:37:24 UTC

An attacker that can deploy a lua file {/usr/share,/etc}/libinput/plugins and possibly XDG_CONFIG_HOME/libinput/plugins can call a GC cleanup function and leave a dangling pointer. This pointer can then be printed to the system logs, potentially exposing sensitive data once the memory location is re-used.
For the exploit to work, lua plugins must be enabled in libinput and loaded by the compositor. If libinputis compiled with -Dautoload-plugins any plugin is loaded automatically (Fedora 43 and 44). The XDG_CONFIG_HOME directory is only loaded if enabled by the compositor (e.g. mutter 50 does this). The attacker must be able to deploy a lua plugin in one of the directories loaded by libinput.

Comment 2 Peter Hutterer 2026-04-01 23:45:16 UTC

This issue affects Fedora 43 and 44 only. It does not affect any current RHEL version.

Note You need to log in before you can comment on or make changes to this bug.