High severity8.8NVD Advisory· Published Apr 1, 2026· Updated Apr 7, 2026

CVE-2026-35093

Description

A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location.

Affected products

Freedesktop/Libinput
cpe:2.3:a:freedesktop:libinput:*:*:*:*:*:*:*:*
Range: <1.30.3
Fedoraproject/Fedora2 versions
cpe:2.3:o:fedoraproject:fedora:43:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:43:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:44:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/security/cve/CVE-2026-35093nvdThird Party Advisory
bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party Advisory

News mentions

Fedora Hummingbird brings the container security model to a Linux host OS
Help Net Security · May 12, 2026
Copy.Fail Linux Vulnerability
Schneier on Security · May 12, 2026
11th May – Threat Intelligence Report
Check Point Research · May 11, 2026
'Dirty Frag' Linux flaw one-ups CopyFail with no patches and public root exploit
The Register Security · May 8, 2026

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000