Skip to content

CVE-2026-35094 on CTRL-OS 24.05

Packages: libinput

Status: (Hidden)

CVE Information

A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor.

Updates

2026-04-09 19:52 CEST

Metadata changes:

  • Status for package libinput: “(Hidden)

Comment:

This Finding was added to our tracking manually as its resolution is paired with CVE-2026-35093.

This does not affect CTRL-OS 24.05.

Code added in:

  • https://gitlab.freedesktop.org/libinput/libinput/-/commit/9e37bc0cfa4d975291e5a2899e148fb83526d4a2

The commit was added during the 1.30 development phase, and the file and feature does not exist for 1.29 or prior versions.

(Amended on: 2026-04-09 19:54 CEST)

2026-04-09 19:52 CEST

Metadata changes:

  • Status: New