{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35094", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-01T12:56:18.939Z", "datePublished": "2026-04-01T13:54:00.679Z", "dateUpdated": "2026-04-01T15:50:07.802Z"}, "containers": {"cna": {"title": "Libinput: libinput: information disclosure via dangling pointer in lua plugin handling", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-35094", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453840", "name": "RHBZ#2453840", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272"}], "datePublic": "2026-04-01T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-825", "description": "Expired Pointer Dereference", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-825: Expired Pointer Dereference", "timeline": [{"lang": "en", "time": "2026-04-01T13:36:01.001Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-01T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-01T14:02:55.147Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T15:39:17.037193Z", "id": "CVE-2026-35094", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:50:07.802Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35094", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-01T12:56:18.939Z", "datePublished": "2026-04-01T13:54:00.679Z", "dateUpdated": "2026-04-01T15:50:07.802Z"}, "containers": {"cna": {"title": "Libinput: libinput: information disclosure via dangling pointer in lua plugin handling", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-35094", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453840", "name": "RHBZ#2453840", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272"}], "datePublic": "2026-04-01T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-825", "description": "Expired Pointer Dereference", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-825: Expired Pointer Dereference", "timeline": [{"lang": "en", "time": "2026-04-01T13:36:01.001Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-01T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-01T14:02:55.147Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35094", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T15:39:17.037193Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:40:04.659Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freedesktop:libinput:-:*:*:*:*:*:*:*", "matchCriteriaId": "1361BCB2-9424-4B4C-A7EC-2AA611F0EF0F", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:43:*:*:*:*:*:*:*", "matchCriteriaId": "E1D1BBE5-0886-4D95-9862-16A4C316F70A", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:44:*:*:*:*:*:*:*", "matchCriteriaId": "DD1E6B15-C7BF-47E1-8034-501385D7B7DD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor."}], "id": "CVE-2026-35094", "lastModified": "2026-04-07T16:25:48.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-01T14:16:57.637", "references": [{"source": "secalert@redhat.com", "tags": ["VDB Entry", "Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2026-35094"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453840"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-825"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue.", "bugzilla": {"description": "libinput: libinput: Information disclosure via dangling pointer in Lua plugin handling", "id": "2453840", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453840"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor."], "name": "CVE-2026-35094", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35094\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35094\nhttps://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Enterprise Linux 10", "source": "cna", "vendor": "Red Hat"}, "product": "enterprise_linux", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-07T23:07:10.056133+00:00", "value": {"mitigation_remediation": ["Apply the Red\u00a0Enterprise\u00a0Linux update that includes the libinput patch.", "If an immediate update is not possible, temporarily disable Lua plugin support in libinput or compositor configuration.", "Verify that Lua plugins are not enabled and that system logs do not contain pointers to cleared memory.", "Continue to monitor for any updates or advisories from Red\u00a0Hat and Fedora."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw affects all Red\u202fHat Enterprise\u202fLinux releases 7 through 10 that ship the vulnerable libinput package. The same vulnerability also impacts Fedora\u202f43 and\u202f44 since they use the upstream libinput library. Specific affected versions are not enumerated in the advisory, so any installation of libinput that has not been upgraded to the patched release should be considered vulnerable.", "description_and_impact": "The vulnerability stems from a dangling pointer in libinput\u2019s Lua plugin handling. When the garbage\u2011collection cleanup function is called, a pointer to freed memory remains. If that memory is subsequently reused, the pointer value can be written to system logs, exposing sensitive data that previously resided there. Because the exploitation occurs during normal log writing, the primary impact is information disclosure, potentially revealing confidential information stored in the temporarily freed memory region.", "risk_and_exploitability": "The CVSS\u202fv3.1 score of\u202f3.3 indicates low severity, and the EPSS score of less than\u202f1\u202f% shows a very small likelihood of exploitation. The flaw is not listed in the CISA\u202fKEV catalog. The attack requires that the attacker can deploy a Lua plugin file in a system directory and that the compositor loads Lua plugins. This implies a local privilege escalation or compromised application scenario; a remote attacker would need higher level access. Because the vulnerability is an information\u2011disclosure issue with no known exploitation code, the risk remains low but not negligible for environments that expose Lua plugins and write logs."}}}}, "created": "2026-04-02T07:49:07.151012+00:00", "updated": "2026-04-08T19:57:07.853594+00:00", "vendors": ["redhat", "redhat$PRODUCT$enterprise_linux"]}