Description

A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor.

INFO

Published Date :

2026-04-01T13:54:00.679Z

Last Modified :

2026-04-01T15:50:07.802Z

Source :

redhat
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35094 vulnerability.

Vendors Products
Redhat
  • Enterprise Linux
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35094.

URL Resource
https://access.redhat.com/security/cve/CVE-2026-35094 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2453840 cve-icon cve-icon
https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-35094 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-35094 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact