CVE-2026-50292

7.4HIGH

Key Information:

Vendor: Freedesktop
Status: Libinput
Vendor: CVE Published:; 4 June 2026

🔔 Create Freedesktop Vulnerability Alert

What is CVE-2026-50292?

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

Affected Version(s)

libinput 0 < 1.30.4

libinput 1.31.0 < 1.31.3

References

https://gitlab.freedesktop.org/libinput/libinput/-/work_i...

https://gitlab.freedesktop.org/libinput/libinput/-/commit...

https://www.openwall.com/lists/oss-security/2026/06/04/5

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Jun 4, 2026

CVE-2026-50292 Data

JSON