CVE-2026-50265
Description
Local attacker with /dev/uinput access can inject udev properties via libinput-device-group, leading to root code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Local attacker with /dev/uinput access can inject udev properties via libinput-device-group, leading to root code execution.
Vulnerability
A flaw exists in libinput where a local attacker with access to /dev/uinput can inject arbitrary udev properties through the libinput-device-group helper. This vulnerability affects libinput versions prior to the fix. [3]
Exploitation
An attacker needs local access to the system and specifically the ability to interact with /dev/uinput. By leveraging the libinput-device-group helper, the attacker can inject malicious udev properties. The exploit is triggered when a device is removed, particularly if REMOVE_CMD properties are injected, which are present in default udev rules. [3]
Impact
Successful exploitation allows an attacker to gain elevated privileges on the system, potentially leading to root code execution. This is achieved by manipulating udev properties that are processed during device removal. [3]
Mitigation
This vulnerability has been addressed in a fixed version of libinput. The specific fixed version and release date are not detailed in the provided references. Users are advised to update to the patched version as soon as it becomes available. [1, 3]
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.