Libinput, the core input handling library powering most Linux desktops on X.Org and Wayland, ships with critical security flaws in its Lua plug-in system. Two vulnerabilities disclosed today—CVE-2026-35093 and CVE-2026-35094—allow malicious plug-ins to escape sandboxes and crash the process, potentially granting attackers full system access at the library’s privilege level. Fixes landed immediately in libinput 1.31.1 and backports for 1.30.3.
This matters because libinput processes keyboard, mouse, touchpad, and tablet events across major desktops like GNOME, KDE Plasma, and Sway. It reads raw input from /dev/input devices, which demands elevated privileges—often running setuid root or via polkit rules. A compromised plug-in executes at that level, opening doors to keyloggers, remote code execution, or persistence on Linux workstations and servers.
The Vulnerabilities
Libinput added Lua plug-in support in version 1.30, released around mid-2025, to let users tweak device behaviors without recompiling. Think custom gesture mappings or hardware quirks. Lua runs embedded, but developers assumed a sandbox would contain it.
CVE-2026-35093 shatters that. The loader accepts pre-compiled Lua bytecode without runtime verification. Attackers craft malicious bytecode that bypasses restrictions, accessing the full Lua API. This includes file I/O, network calls, and shell execution—whatever the host process permits. Since libinput often elevates privileges, this escalates to root shells or data exfiltration.
CVE-2026-35094 adds a use-after-free bug in plug-in handling. Double-free or dangling pointers let attackers corrupt memory, enabling arbitrary code execution. Chained with the sandbox escape, it forms a reliable exploit path.
These flaws stem from rushed implementation. Lua’s flexibility suits scripting, but embedding it securely requires custom sandboxes like Lua’s own LuaJIT protections or seccomp filters—neither fully in place here. Public advisories confirm no mitigations blocked bytecode tampering or memory errors.
Fixes and Immediate Steps
Developers released libinput 1.31.1 today, patching both CVEs. Version 1.30.3 backports fixes for LTS users. Key changes: bytecode verification on load and use-after-free safeguards via pointer tracking.
Update now. On Fedora, run
sudo dnf update libinput. Ubuntu/Debian users:
sudo apt update && sudo apt upgrade libinput. Arch:
sudo pacman -Syu libinput. Check your distro’s security tracker—embargos lifted, so patches propagate fast.
Disable Lua plug-ins temporarily if unpatched: Set LIBINPUT_LUA_PLUGINS= in your environment or remove /usr/share/libinput/lua/ files. Verify via libinput version and audit loaded modules with strace -e openat libinput list-devices.
Why This Exposes Linux Users
Libinput underpins 90%+ of Linux desktops. GNOME’s Mutter, KDE’s KWin, and wlroots all rely on it. Servers using it for VM input passthrough (e.g., Proxmox, oVirt) face risks too. Attack surface? Third-party plug-ins from GitHub or distro repos, or supply-chain hits via compromised upstreams.
Skeptically, introducing unsandboxed Lua in a privileged daemon smells like feature creep over security. Linux input stacks have history—remember evdev bugs or synaptics flaws? This echoes LuaJIT CVEs in games or Nginx modules, where scripting trades safety for speed.
Implications run deep. Enterprises delaying Wayland migration now have fresh ammo: input is a prime phish vector. Home users on Pop!_OS or Ubuntu risk drive-by exploits if plug-ins auto-load. Expect zero-days if unpatched systems linger—Linux’s 3-4% desktop share doesn’t deter nation-states targeting devs.
Broader lesson: Scrutinize plug-in systems. Rust’s safety or eBPF might replace Lua long-term, but for now, audit privileges. Watch libinput’s Git log; future releases promise stricter Lua APIs. Stay patched—input control equals system control.
