{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35094", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-01T12:56:18.939Z", "datePublished": "2026-04-01T13:54:00.679Z", "dateUpdated": "2026-04-01T15:50:07.802Z"}, "containers": {"cna": {"title": "Libinput: libinput: information disclosure via dangling pointer in lua plugin handling", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-35094", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453840", "name": "RHBZ#2453840", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272"}], "datePublic": "2026-04-01T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-825", "description": "Expired Pointer Dereference", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-825: Expired Pointer Dereference", "timeline": [{"lang": "en", "time": "2026-04-01T13:36:01.001Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-01T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-01T14:02:55.147Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T15:39:17.037193Z", "id": "CVE-2026-35094", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:50:07.802Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35094", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-01T12:56:18.939Z", "datePublished": "2026-04-01T13:54:00.679Z", "dateUpdated": "2026-04-01T15:50:07.802Z"}, "containers": {"cna": {"title": "Libinput: libinput: information disclosure via dangling pointer in lua plugin handling", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-35094", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453840", "name": "RHBZ#2453840", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272"}], "datePublic": "2026-04-01T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-825", "description": "Expired Pointer Dereference", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-825: Expired Pointer Dereference", "timeline": [{"lang": "en", "time": "2026-04-01T13:36:01.001Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-01T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-01T14:02:55.147Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35094", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T15:39:17.037193Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:40:04.659Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor."}], "id": "CVE-2026-35094", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-04-01T14:16:57.637", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-35094"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453840"}, {"source": "secalert@redhat.com", "url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-825"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue.", "bugzilla": {"description": "libinput: libinput: Information disclosure via dangling pointer in Lua plugin handling", "id": "2453840", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453840"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor."], "name": "CVE-2026-35094", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35094\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35094\nhttps://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Enterprise Linux 10", "source": "cna", "vendor": "Red Hat"}, "product": "enterprise_linux", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-02T02:27:06.869846+00:00", "value": {"mitigation_remediation": ["Verify if Lua plugins are enabled in libinput and disable them if not required.", "Restrict write permissions on the system directories that store Lua plugin files to authorized users only.", "Monitor system logs for unexpected parameter prints that might leak sensitive information.", "Check Red\u00a0Hat errata or security advisories for a libinput update that patches this issue and apply the update when available.", "Consider upgrading to the latest RHEL release if the vulnerability is addressed there."], "summary": {"action": "Monitor", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Red Hat Enterprise Linux distributions (versions 10, 7, 8, and 9) are affected because they include the vulnerable libinput component. The vulnerability arises when Lua plugins are enabled in libinput and the compositor loads them. Anyone managing these RHEL systems should be aware that any installation of libinput with Lua plugin support is potentially exposed.", "description_and_impact": "A flaw in libinput permits an attacker who can place a Lua plugin file in particular system directories to trigger a dangling pointer during garbage\u2011collection cleanup. The exposed pointer is written to system logs, which may subsequently be recycled for another purpose. If the memory region is re\u2011used, this can reveal sensitive data that was once contained in that region. The issue is classified under CWE\u2011825 and results in potential information disclosure.", "risk_and_exploitability": "The CVSS score is 3.3, indicating low severity, and the vulnerability is not currently listed in CISA\u2019s KEV catalog. EPSS data is unavailable, so the likelihood of exploitation cannot be quantified precisely, but the need to upload a Lua plugin file suggests a local or privileged attacker is required. The exploit path therefore appears constrained to environments where Lua plugins are enabled and write access to the plugin directories is possible. Because the vulnerability leads only to log exposure and does not allow direct code execution, the overall risk remains low, though it still warrants screening of logging output for inadvertent disclosures."}}}}, "created": "2026-04-02T07:49:07.151012+00:00", "updated": "2026-04-02T20:17:31.895523+00:00", "vendors": ["redhat", "redhat$PRODUCT$enterprise_linux"]}