Description
In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution
Published: 2026-06-04
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the libinput library, before version 1.30.4 and the 1.31.x series before 1.31.3, the libinput-device-group component fails to escape physical device path strings. The unescaped phys output can be injected into udev property definitions, allowing a malicious input device or crafted payload to modify or create udev rules. This results in arbitrary code execution with root privileges, as the udev process runs as root and will load the injected properties. The weakness is identified as CWE‑93: Improper Neutralization of Special Elements used in a Command or Data Structure.

Affected Systems

The vulnerability affects libinput releases prior to 1.30.4 and those in the 1.31 series before 1.31.3. Device backends that rely on libinput for input handling, such as most Linux graphical environments and desktops that include the freedesktop libinput component, are impacted. Only the affected versions listed above are vulnerable; newer releases contain the sanitization fix.

Risk and Exploitability

The CVSS score of 7.4 indicates high severity. EPSS data is not available, but the lack of an immediate exploit in the KEV catalog suggests the exploit is not in widespread use yet. The attack vector requires that an attacker be able to supply device information that libinput processes—typically by purchasing or physically attaching a malicious USB input device—so the vulnerability is most relevant for systems that accept untrusted USB or other external devices. Once exploited, the attacker gains root privileges and can perform any operation on the host.

Generated by OpenCVE AI on June 4, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libinput to version 1.30.4 or later, or to 1.31.3 or later if using the 1.31 series, to apply the patch that sanitizes phys output.
  • If an immediate upgrade is not feasible, restrict udev rules for input devices to only allow trusted device paths and prevent the creation of arbitrary properties by untrusted users.
  • Apply the patch referenced in commit 76f0d8a7f57e2868882864b4611281f12f704b55, which introduces proper escaping of phys strings before writing udev properties.

Generated by OpenCVE AI on June 4, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Arbitrary Root Code Execution via Udev Property Injection in libinput

Thu, 04 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution
First Time appeared Freedesktop
Freedesktop libinput
Weaknesses CWE-93
CPEs cpe:2.3:a:freedesktop:libinput:*:*:*:*:*:*:*:*
Vendors & Products Freedesktop
Freedesktop libinput
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Freedesktop Libinput
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-04T18:12:18.647Z

Reserved: 2026-06-04T16:41:35.817Z

Link: CVE-2026-50292

cve-icon Vulnrichment

Updated: 2026-06-04T18:12:14.968Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T18:16:32.530

Modified: 2026-06-04T19:16:30.747

Link: CVE-2026-50292

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T19:00:14Z

Weaknesses