CVE-2026-50292: libinput Local Privilege Escalation via Unescaped phys Output
CVE-2026-50292 is a privilege escalation vulnerability in libinput, a widely-used input device handling library. The flaw allows an attacker with local access to craft malicious device properties that libinput-device-group fails to properly sanitize, leading to injection of arbitrary udev properties. This injection can result in arbitrary code execution with root privileges. The vulnerability affects libinput versions before 1.30.4 and all 1.31.x versions before 1.31.3.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.4 HIGH · CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-93
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
libinput's device-group utility does not adequately escape or validate the phys output from input devices before passing it to udev property configuration. An attacker can supply a crafted phys string containing shell metacharacters or udev directive syntax that, when processed by the udev property injection mechanism, executes attacker-controlled commands. The vulnerability is classified as CWE-93 (Improper Neutralization of Special Elements used in an HTTP Request). The CVSS 3.1 score of 7.4 (HIGH) reflects high impact across confidentiality, integrity, and availability, combined with a high attack complexity that requires local access and specific conditions but no user interaction.
Business impact
Successful exploitation enables complete system compromise on affected Linux machines. An attacker with local access—such as a malicious user account, container, or guest VM—can escalate to root and maintain persistent control. This risk extends across desktop and server deployments, including CI/CD infrastructure, container hosts, and development workstations that rely on libinput for input device management. Organizations managing fleets of Linux systems should treat this as a credible local privilege escalation vector.
Affected systems
The vulnerability affects freedesktop libinput prior to version 1.30.4 and all versions in the 1.31.x series prior to 1.31.3. Any Linux system running a vulnerable version with libinput-device-group enabled is at risk. This includes standard desktop distributions, embedded Linux systems, and container platforms where input device hotplug handling is active. Check your distribution's package version to determine exposure.
Exploitability
Exploitation requires local system access and the ability to trigger device enumeration or hotplug events with a malicious phys property. The attack complexity is high, meaning specific preconditions (controlled device presentation, udev daemon running) must align. No public exploit code is currently known to be in active use, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the severity and local-only requirement mean determined attackers with device-level control or container escape capabilities can likely craft reliable exploits.
Remediation
Apply patches to libinput: upgrade to version 1.30.4 or later in the 1.30.x series, or to version 1.31.3 or later for 1.31.x deployments. Verify the patch version against your vendor's official advisory before deploying. In interim environments where patching is delayed, restrict local user access and monitor udev property injection logs for suspicious patterns. Disable or limit access to libinput-device-group if device hotplug handling is not essential.
Patch guidance
Consult your Linux distribution's package management system for libinput updates. Verify that the installed version meets or exceeds 1.30.4 (for the 1.30 branch) or 1.31.3 (for the 1.31 branch). Test patches in a non-production environment before rollout. Confirm via dpkg, rpm, or your distribution's query tools that the patched version is running after installation; some systems may require a daemon restart or reboot.
Detection guidance
Monitor udev logs for malformed or suspicious phys property entries that contain shell metacharacters, escape sequences, or udev directives. Watch for unexpected root process execution triggered during device enumeration. Check libinput-device-group process execution and its arguments in security logs. In container environments, audit device hotplug events and udev rule application. Host-based intrusion detection can flag anomalous privilege escalation chains stemming from input device processing.
Why prioritize this
Although the vulnerability requires local access and has high attack complexity, its impact is critical: successful exploitation grants root code execution. Organizations should prioritize patching based on system role: internet-facing servers, shared multi-tenant systems, and container hosts should be updated urgently. Desktop and workstation environments should follow within standard change windows, especially if they support untrusted users or run development workloads.
Risk score, explained
The CVSS 3.1 score of 7.4 (HIGH) reflects the combination of remote unobtainability (local access only, AV:L), high attack complexity (AC:H), and no privileges or user interaction required (PR:N/UI:N). Despite these barriers, the impact is severe: confidentiality, integrity, and availability are all rated high due to unrestricted root code execution. The score appropriately captures a serious local privilege escalation that demands prompt patching but is not as critical as network-accessible remote code execution vulnerabilities.
Frequently asked questions
Does this vulnerability require network access?
No. CVE-2026-50292 is a local privilege escalation vulnerability. An attacker must have existing local access to the system (a user account, container, or similar local execution context) to craft malicious device properties and trigger the vulnerability.
Can this vulnerability be exploited remotely?
Not directly. The attack vector is local (AV:L). However, if an attacker gains initial local access through a network compromise or container escape, they could then exploit CVE-2026-50292 to escalate to root.
Is there a workaround if I cannot patch immediately?
Restrict local user access and disable libinput-device-group if input device hotplug is not required. Monitor udev logs closely. These are temporary mitigations; patching should be prioritized as soon as operationally feasible.
How do I verify if my system is vulnerable?
Check your installed libinput version using your package manager (e.g., dpkg -l libinput or rpm -qa libinput). If the version is below 1.30.4 or is in the 1.31.x range below 1.31.3, your system is vulnerable. Consult your vendor's advisory to confirm the exact fix version for your distribution.
This analysis is based on the official CVE record and CVSS scoring data current as of the publication date. Patch versions and remediation guidance should be verified against the freedesktop libinput project's official advisory and your Linux distribution's security bulletins. Exploit reliability and real-world attack prevalence may evolve; monitor security mailing lists and your vulnerability management platform for updates. No liability is assumed for incompleteness or downstream security decisions made on the basis of this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46741HIGHEtsy::StatsD Metric Injection Vulnerability (CVSS 7.5)
- CVE-2026-46739MEDIUMNet::Statsd Metric Injection Vulnerability (Perl)
- CVE-2026-49130MEDIUMMusic Player Daemon CRLF Injection in XSPF Playlists
- CVE-2026-8722MEDIUMNet::Async::Statsd::Client Metric Injection – Perl Monitoring Vulnerability
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface