Low severity3.3NVD Advisory· Published Apr 1, 2026· Updated Apr 7, 2026
CVE-2026-35094
CVE-2026-35094
Description
A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor.
Affected products
3- cpe:2.3:a:freedesktop:libinput:-:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:43:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:43:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:44:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- access.redhat.com/security/cve/CVE-2026-35094nvdVDB EntryThird Party Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party Advisory
News mentions
4- Fedora Hummingbird brings the container security model to a Linux host OSHelp Net Security · May 12, 2026
- Copy.Fail Linux VulnerabilitySchneier on Security · May 12, 2026
- 11th May – Threat Intelligence ReportCheck Point Research · May 11, 2026
- 'Dirty Frag' Linux flaw one-ups CopyFail with no patches and public root exploitThe Register Security · May 8, 2026