CVEFinder.io

CVE-2026-35094

ℹī¸ low
🔍 Scan for this CVE
Summary

A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor.

CVSS Score
3.3
Low
EPSS Score
0.0
Exploit Probability
Published Date
2026-04-01
First Seen: 2026-04-08
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 2.8% of all 318,071 vulnerabilities in our database.

#309,119
Below average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Apr 1, 2026
🔍 Exploitation Status
None
No known exploits
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Partial
Limited system impact
🏆 Discovered By
Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue.
SSVC data provided by CISA
Last Modified 2026-04-07
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE IDs (Weakness Types)
CWE-825

đŸ“Ļ Affected Products 3

Vendor Product Status Affected Versions
fedoraproject fedora Affected
v43
fedoraproject fedora Affected
v44
freedesktop libinput Affected
v-

🔗 References 3

https://access.redhat.com/security/cve/CVE-2026-35094
VDB Entry Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2453840
Issue Tracking Third Party Advisory
https://gitlab.freedesktop.org/libinput/libinput/-/w...
Broken Link

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-35093 ⚠ī¸ high 8.8 0.0 A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or ... 2026-04-01
CVE-2023-4134 đŸ”ļ medium 5.5 0.0 A use-after-free vulnerability was found in the cyttsp4_core driver in the Linux kernel. This issue occurs in the device... 2024-11-14
CVE-2024-3056 ⚠ī¸ high 7.7 0.4 A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configur... 2024-08-02
CVE-2024-6290 ⚠ī¸ high 8.8 0.3 Use after free in Dawn in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to potentially exploit heap co... 2024-06-24
CVE-2024-6291 ⚠ī¸ high 8.8 0.2 Use after free in Swiftshader in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to potentially exploit ... 2024-06-24
CVE-2024-6292 ⚠ī¸ high 8.8 0.3 Use after free in Dawn in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to potentially exploit heap co... 2024-06-24
These CVEs affect the same products