In the libinput library, before version 1.30.4 and the 1.31.x series before 1.31.3, the libinput-device-group component fails to escape physical device path strings. The unescaped phys output can be injected into udev property definitions, allowing a malicious input device or crafted payload to modify or create udev rules. This results in arbitrary code execution with root privileges, as the udev process runs as root and will load the injected properties. The weakness is identified as CWE‑78 (OS Command Injection) and CWE‑93 (Improper Neutralization of Special Elements used in a Command or Data Structure).

The vulnerability affects libinput releases prior to 1.30.4 and those in the 1.31 series before 1.31.3. Device backends that rely on libinput for input handling, such as most Linux graphical environments and desktops that include the freedesktop libinput component, are impacted. Only the affected versions listed above are vulnerable; newer releases contain the sanitization fix.

The CVSS score of 7.4 indicates high severity. EPSS Score: < 1%, indicating a very low probability of exploitation, but the lack of an immediate exploit in the KEV catalog suggests the vulnerability is not in widespread use yet. The attack vector requires that an attacker be able to supply device information that libinput processes—typically by purchasing or physically attaching a malicious USB input device—so the vulnerability is most relevant for systems that accept untrusted USB or other external devices. Once exploited, the attacker gains root privileges and can perform any operation on the host.