Vulnerability Report

CVE-2026-35093

RCE

Title: libinput Local Code Execution Bypass

RCE

Proof Of Concept

No public PoC currently indexed for CVE-2026-35093.

CWE Category CWE-94

Published Date Apr 01, 2026

Modified Date Apr 07, 2026

Exploit Status Not Found

Score 8.8 CVSS v3.1

Exploit Probability (EPSS)

0.02%

Vulnerability Summary

CVE-2026-35093: A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location.

Impacted Vendors

freedesktop 1

Reference Links

https://access.redhat.com/security/cve/CVE-2026-35093 https://bugzilla.redhat.com/show_bug.cgi?id=2453839 https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271

CVSS v3.1

Source Entity [email protected]

Severity HIGH

8.8

Attack Vector

LOCAL

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-35093 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

April 07, 2026 MODIFIED

Vulnerability data updated via NVD.

April 07, 2026 MODIFIED

Vulnerability data updated via NVD.

April 01, 2026 MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector LOCAL

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Stack

No specific products linked.