CVE-2026-50292

Vulnerability

In libinput versions before 1.30.4 and 1.31.3, the libinput-device-group helper mishandles the phys sysattr. A malicious uinput or uhid device can set a phys sysattr containing newline characters (\n). This crafted input is not properly escaped and is interpreted by udev as separate KEY=VALUE pairs, allowing for the injection of arbitrary udev properties [1].

Exploitation

An attacker with the ability to create or control a uinput or uhid device can exploit this vulnerability. By setting the phys attribute of such a device to a string containing a newline character, the attacker can cause udev to interpret this as multiple property assignments. This allows for the injection of arbitrary udev properties, such as REMOVE_CMD, which can lead to arbitrary code execution [1].

Impact

Successful exploitation of this vulnerability allows an attacker to achieve arbitrary code execution with root privileges. This is because the injected udev properties can be used to trigger commands or actions with the highest level of system access, potentially compromising the entire system [1].

Mitigation

The vulnerability is fixed in libinput version 1.30.4 and 1.31.3. Users are advised to update to these versions or later. No workarounds are described in the available references, and there is no information regarding end-of-life status or if the vulnerability has been added to the Known Exploited Vulnerabilities (KEV) catalog [2].