In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HFreedesktop Libinput
APPFreedesktop< 1.30.41.31.0 – 1.31.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
Related vulnerabilities
CVE-2026-35093HIGH8.8ten sam produkt
A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain ...
CVE-2022-1215HIGH7.8ten sam produkt
A format string vulnerability was found in libinput
CVE-2026-35094LOW3.3ten sam produkt
W bibliotece libinput znaleziono lukę umożliwiającą exploitację dangling pointer. Atakujący, który umieści pli...
CVE-2021-3185CRITICAL9.8ten sam vendor
A flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 h...
CVE-2019-20367CRITICAL9.1ten sam vendor
nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the strin...