CVE-2026-50292

Summary

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

Affected Software

VendorProductVersion RangeStatus
freedesktoplibinput0 < 1.30.4affected
freedesktoplibinput1.31.0 < 1.31.3affected

Weaknesses

  • CWE-93: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References