Libinput Hit by Worrying Security Issues with Its Lua Plug-In System

phoronix.com · t-3 · 2 days ago · view on HN · research
quality 7/10 · good
0 net
Tags
apple buffer-overflow cloudflare cve facebook microsoft wordpress
Entities
CVE-2026-35093 CVE-2026-35094
Libinput Hit By Worrying Security Issues With Its Lua Plug-In System - Phoronix Articles & Reviews News Archive Forums Premium Ad-Free Contact Popular Categories Close Articles & Reviews News Archive Forums Premium Contact Categories Computers Display Drivers Graphics Cards Linux Gaming Memory Motherboards Processors Software Storage Operating Systems Peripherals Libinput Hit By Worrying Security Issues With Its Lua Plug-In System Written by Michael Larabel in Desktop on 2 April 2026 at 12:00 AM EDT. 15 Comments Libinput devised a Lua-based plug-in system for modifying devices/events . The Lua plug-in support was introduced last year with libinput 1.30 but unfortunately some security issues have now come to light with the implementation. These Lua plug-in issues are all the more pressing with libinput being widely used on both X.Org and Wayland based Linux desktops for input handling. CVE-2026-35093 was made public tonight as a sandbox escape in libinput plug-ins. A bug within libinput's loader allowed for pre-compiled byte code to be loaded without any verification at run-time. Thus via a Lua plug-in for libinput it was possible to have unrestricted access to the system to the full potential that Lua allows. The bytecode is executed at the process' privilege level with unrestricted system access. CVE-2026-35094 was also made public as a use-after-free vulnerability for libinput plug-ins. More details on these libinput security issues via today's advisory . As a result of these disclosures, libinput 1.31.1 and libinput 1.30.3 have been released with security fixes for these vulnerabilities. 15 Comments Tweet FreeRDP 3.24 Released With Security Fixes & Improved X11 Client Support Budgie 10.10.2 Brings Improved Labwc Wayland Compositor Integration COSMIC Epoch 1.0.8 Released With More Desktop Refinements Libinput 1.31 Released With Configurable Timeouts, Fast 3-Finger Swipes System76's COSMIC Desktop Planning Vulkan Renderer, Improved Gaming Experience Budgie 10.10.1 Released With Better Stability & Improved Labwc Integration Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter , LinkedIn , or contacted via MichaelLarabel.com . Steam On Linux Use Skyrocketed In March - More Than Double The macOS Gaming Marketshare Ubuntu 26.10 Looks To Strip Its GRUB Bootloader To The Bare Minimum For Better Security Ubuntu 26.04 LTS Beta Released: Powered By Linux 7.0 + GNOME 50 + Mesa 26.0 KDE's KWin Compositor Lands First Step Toward Vulkan Support AMD Announces The Ryzen 9 9950X3D2 New Patches Allow Building Linux IPv6-Only, Option To Deprecate "Legacy" IPv4 FreeCAD 1.1 Brings Many Improvements For Open-Source CAD Fedora 45 Plan Approved For Web Frontend To Linux's "Blue Screen of Death" DRM Panic Linux Fixes Performance Bug Affecting Qualcomm Ath11k & Ath12k WiFi Drivers Microsoft's Newest Open-Source Project: Runtime Security For AI Agents Intel Posts Fourth Version Of Cache Aware Scheduling For Linux IBM Collaborating With Arm For Dual-Architecture Hardware CentOS Launches Accelerated Infrastructure Enablement For Driving NVIDIA AI Factories Proposed Wine Code Uses Zink For OpenGL-On-Vulkan By Default Libinput Hit By Worrying Security Issues With Its Lua Plug-In System Steam On Linux Use Skyrocketed In March - More Than Double The macOS Gaming Marketshare AMD GPU Driver Sees DC Idle Manager & Multi-SDMA Engine Optimization For Linux 7.1 Fedora Rejects Proposal To Use systemd For Managing Per-User Environment Variables Cloudflare Announces EmDash As Open-Source "Spiritual Successor" To WordPress Phoronix Premium allows ad-free access to the site, multi-page articles on a single page, and other features while supporting this site's continued operations. AMD Ryzen AI Max "Strix Halo" Enjoys Great Performance Gains With Latest Linux Software Ubuntu 26.04 Showing Nice Gains Over Ubuntu 25.10 On AMD Ryzen 9000 Series KDE Plasma 6.6 Showing Frequent Performance Advantage Over GNOME 50 With NVIDIA R595 Driver Open-Source Nouveau Performance With Linux 7.0 + NVK Mesa 26.1-dev vs. NVIDIA Linux Driver KDE Plasma 6.6 Delivers An Impressive Edge For Radeon Graphics Over GNOME 50 On Ubuntu 26.04 The mission at Phoronix since 2004 has centered around enriching the Linux hardware experience. In addition to supporting our site through advertisements, you can help by subscribing to Phoronix Premium . You can also contribute to Phoronix through tips/donations via PayPal or Stripe . Contact Michael Larabel Support Phoronix While Having Ad-Free Browsing, Single-Page Article Viewing Facebook Twitter / X Legal Disclaimer, Privacy Policy, Cookies | Privacy Manager | Contact Copyright © 2004 - 2026 by Phoronix Media . All trademarks used are properties of their respective owners. All rights reserved.
← Back to stories