CVE-2026-50292

HIGH 7.4

CVSS Score

7.4

EPSS Score

0.0%

EPSS Percentile

0th

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

CWE	CWE-93
Vendor	freedesktop
Product	libinput
Published	Jun 4, 2026
Last Updated	Jun 4, 2026

Stay Ahead of the Next One

Get instant alerts for freedesktop libinput

Be the first to know when new high vulnerabilities affecting freedesktop libinput are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

freedesktop / libinput

0 < 1.30.4 1.31.0 < 1.31.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gitlab.freedesktop.org: https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296 gitlab.freedesktop.org: https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55 openwall.com: https://www.openwall.com/lists/oss-security/2026/06/04/5