A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the

Description

Multiple issues have been found in libinput: 1) CVE-2026-35093: Sandbox escape in libinput plugins The libinput plugin system provides a sandbox to any Lua plugins to restrict them from any IO other than log messages. However, a bug in the plugin system loader allowed for precompiled byte-code to be loaded.

Affected Products

Vendor	Product	Versions
libinput	Lua Handler	—

References

Related News (2 articles)

Tier C

oss-security3h ago

FW: libinput Security Advisory: multiple security issues in libinput

→ No new info (linked only)

Tier C

VulDB14h ago

CVE-2026-35093 | libinput Lua code injection (EUVD-2026-17907)

→ No new info (linked only)

CVSS 3.18.8 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-94, CWE-20

PublishedApr 1, 2026

Last enriched2h agov3

Trending Score59

Source articles3

Independent2

Info Completeness8/14

Missing: versions, epss, kev, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 2h ago

v3Tier C2h ago

Updated description with details about CVE-2026-35093 and marked exploit availability as true.

descriptioncweIdsexploitAvailableactivelyExploited

via oss-security

v2Tier C8h ago

Updated vendor to libinput, product to Lua Handler, changed severity to CRITICAL, and noted that no exploit exists.

vendorproduct

via VulDB

v19h ago

Initial creation

A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the

Description

Affected Products

References

Related News (2 articles)

Community Vote

Related CVEs (1)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History