Libinput Hit By Worrying Security Issues With Its Lua Plug-In System

Libinput is the backbone of input handling for most Linux graphical stacks, translating raw hardware signals into events for X.Org and Wayland compositors. Its recent Lua plug‑in framework was introduced to give developers fine‑grained control over device behavior without recompiling the core library. While this flexibility accelerates feature development, it also expands the attack surface, especially when plug‑ins execute code under the same privileges as the libinput daemon.

The two disclosed CVEs illustrate the risks inherent in embedding a scripting engine. CVE‑2026‑35093 allows a crafted plug‑in to bypass the sandbox by loading pre‑compiled bytecode without verification, effectively granting attackers arbitrary code execution. CVE‑2026‑35094, a classic use‑after‑free, can be triggered to corrupt memory and crash the process, potentially leading to privilege escalation. Because libinput runs early in the boot sequence and often with elevated rights, any compromise can cascade to the entire user session, jeopardizing data integrity and privacy.

Mitigation is straightforward: administrators should upgrade to libinput 1.31.1 or at least 1.30.3, which incorporate the necessary checks and memory‑safety fixes. Distributions are expected to push these updates through their package managers within days. In the longer term, the incident underscores the need for rigorous code‑review pipelines and sandboxing of third‑party plug‑ins, especially in core system components. Organizations that rely on Linux workstations should audit their input stack and enforce timely patch cycles to maintain a resilient security posture.