Skip to content

CVE-2026-35093 on CTRL-OS 24.05

Packages: libinput

Status: Invalid

CVE Information

A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location.

Updates

2026-04-09 19:42 CEST

Metadata changes:

  • Status for package libinput: “Invalid

Comment:

False positive due to bad CVE “configuration” data.

Code added in:

  • https://gitlab.freedesktop.org/libinput/libinput/-/commit/9e37bc0cfa4d975291e5a2899e148fb83526d4a2

The commit was added during the 1.30 development phase, and the file and feature does not exist for 1.29 or prior versions.

(Amended on: 2026-04-09 19:45 CEST)

2026-04-09 19:28 CEST

Metadata changes:

  • Status for package libinput: “New