Introduction
A missing input sanitization in libinput's udev helper program allows a local attacker to inject arbitrary udev properties and execute commands as root, simply by creating a virtual input device with a crafted name. On Linux desktops where packages like steam-devices or kdeconnectd grant unprivileged users access to /dev/uinput, this turns a seat user into root with minimal effort and high reliability.
libinput is the standard input handling library for virtually all modern Linux desktop environments, including GNOME, KDE Plasma, and Sway. Maintained under the freedesktop.org umbrella, it provides input device detection, event processing, and abstraction for both Wayland compositors and X.Org input drivers. Its presence on essentially every Linux system running a graphical environment makes any vulnerability in libinput potentially impactful across the entire Linux desktop ecosystem.
Technical Information
Root Cause: CRLF Injection in udev Property Output
CVE-2026-50292 is classified as CWE-93 (Improper Neutralization of CRLF Sequences). While CRLF injection is most commonly discussed in the context of HTTP response splitting, this vulnerability demonstrates the same class of flaw in a Linux system level context: the libinput-device-group udev helper reads the phys sysfs attribute of input devices and prints it directly into a KEY=VALUE udev property string without any escaping or sanitization.
The udev subsystem interprets newline characters as property delimiters. When the phys value contains a \n character, udev splits the output into two separate KEY=VALUE pairs. The second pair becomes an entirely new udev property under the attacker's control.
Attack Flow
The exploitation chain proceeds through four stages:
Step 1: Malicious Device Creation. A local attacker creates a uinput device using the standard Linux uinput interface and sets its phys sysattr to contain a newline character via the UI_SET_PHYS ioctl. The phys value is crafted to include an injected udev property after the newline. For example, the value might be set to something like:
normal-value\nENV{REMOVE_CMD}="/path/to/malicious-script"
Step 2: Unsanitized Output. The libinput-device-group helper reads the raw phys value using udev_device_get_sysattr_value(d, "phys") and prints it directly as part of a udev property string. No escaping, filtering, or sanitization is applied to the value before output.
Step 3: Property Injection. When udev imports the output from libinput-device-group as environment variables, the newline character causes udev to interpret the output as two separate KEY=VALUE pairs. The attacker controlled second line is parsed as a legitimate udev property.
Step 4: Root Code Execution. By injecting the REMOVE_CMD udev property, the attacker specifies an arbitrary command that udev will execute with root privileges when the malicious device is removed. Since the attacker controls both the device creation and removal, this provides a complete and deterministic local privilege escalation chain from seat user to root.
Privilege Requirements and Exploit Conditions
The critical gating factor for exploitation is whether a non-root user can create uinput or uhid devices. By default, both /dev/uinput and /dev/uhid require root access. However, several commonly installed packages on Fedora ship udev rules that grant uaccess to /dev/uinput:
| Device | Default Access | Packages Granting uaccess (Fedora) | Exploit Feasibility |
|---|---|---|---|
/dev/uinput | Root only | steam-devices, antimicrox, kdeconnectd | Feasible on gaming and multi device desktops |
/dev/uhid | Root only | No known packages ship uaccess rules | Requires root already; not useful for escalation |
On systems where any of these packages are installed, a user logged into a seat can create uinput devices without root privileges, making exploitation straightforward. On systems without these uaccess rules, the attacker would already need root to create the malicious device, which negates the privilege escalation value entirely.
The Fix
The upstream fix in commit 76f0d8a7f57e2868882864b4611281f12f704b55 modifies udev/libinput-device-group.c in two ways:
- The
const char *physpointer declaration is changed to_autofree_ char *phys = NULL, indicating a dynamically allocated sanitized string with automatic cleanup. - Both locations where
physis assigned fromudev_device_get_sysattr_value(d, "phys")are wrapped with a newstr_sanitize()function:phys = str_sanitize(udev_device_get_sysattr_value(d, "phys")).
This sanitization strips or escapes newline and carriage return characters before the phys value is incorporated into the udev property output, preventing the injection.
Affected Systems and Versions
The vulnerability affects:
- libinput versions before 1.30.4 (all prior releases in the 1.30.x branch)
- libinput 1.31.x versions before 1.31.3
Fixed versions are libinput 1.30.4 and libinput 1.31.3. Arch Linux already ships version 1.31.3-1 in its repositories.
The vulnerability is exploitable for privilege escalation specifically on systems where:
- A non-root user has seat access
- One of the following packages (or equivalent) is installed, granting
uaccessto/dev/uinput:steam-devices,antimicrox, orkdeconnectd - Fedora is the most explicitly documented distribution with these conditions, but other distributions shipping similar udev rules may also be affected
Systems without uinput uaccess rules (servers, minimal installations, desktops without gaming or device bridging software) have significantly lower risk, as the attacker would already need root to create the malicious device.
Vendor Security History
The 2026 calendar year has been notable for libinput security disclosures, with three distinct CVEs published in approximately two months:
| CVE | Disclosure Date | Type | Description |
|---|---|---|---|
| CVE-2026-35093 | April 2026 | Sandbox escape | Lua plugin loader accepts pre-compiled bytecode without verification, bypassing the Lua sandbox |
| CVE-2026-35094 | April 2026 | Use after free | Dangling pointer in Lua plugin handling enables information disclosure |
| CVE-2026-50292 | June 2026 | CRLF injection | Unescaped phys output in udev helper enables root code execution |
The two April CVEs were both related to the Lua plugin system introduced in libinput 1.30. CVE-2026-35093 was a sandbox escape where the plugin loader accepted pre-compiled Lua bytecode without runtime verification, allowing unrestricted access at the process privilege level. CVE-2026-35094 was a use after free vulnerability in the Lua plugin handling that could enable information disclosure. SUSE tracked both CVEs across its product line, confirming impact on SLE and openSUSE distributions.
Prior to 2026, libinput had a relatively clean security record with few public CVEs. The pattern of three security issues in two months suggests that the introduction of the Lua plugin system and insufficient input validation in the udev helper represent new attack surface that was not adequately audited before release. The common thread across all three vulnerabilities is a lack of defense in depth: trust boundaries were not enforced at the point where external data entered security critical processing paths.
On the positive side, the vendor response to CVE-2026-50292 was prompt. The oss-security advisory was published on the same day as the NVD entry (June 4, 2026), the fix was already committed upstream, and patched versions (1.30.4 and 1.31.3) were made available simultaneously. The advisory includes clear information about exploit conditions, affected versions, and specific packages that create elevated risk configurations on Fedora, enabling administrators to make informed risk assessments.
Mitigation Recommendations
Immediate Actions
-
Upgrade libinput to version 1.30.4 or 1.31.3 (or later). Verify your current version with
libinput --versionor your distribution's package manager. -
Audit uinput uaccess rules. On Fedora and potentially other distributions, review whether
steam-devices,antimicrox, orkdeconnectdare installed. If they are not needed, removing them eliminates the most accessible attack vector. If they are needed, understand that they grant seat users the ability to create uinput devices. -
Review custom udev rules. Any custom rules granting
uaccessto/dev/uinputor/dev/uhidcreate exploitable configurations.
Defense in Depth
-
Restrict REMOVE_CMD. Where operationally feasible, disable or restrict the
REMOVE_CMDudev property mechanism, which provides the direct root execution path in this exploit chain. -
Monitor uinput device creation. Implement logging for uinput device creation by non-root users. Unexpected uinput devices with unusual
physattributes are a strong indicator of exploitation attempts. -
Backport the fix if packages are unavailable. For distributions that have not yet released patched packages, the upstream commit
76f0d8a7provides the reference implementation of thestr_sanitize()approach.
Prioritization
Desktop systems with steam-devices or similar uaccess granting packages installed, especially those with untrusted seat users, should be patched immediately. Server or minimal systems without uinput uaccess rules can be upgraded on a normal patch cycle.
Threat Intelligence
As of the disclosure date (June 4, 2026), no confirmed evidence of active exploitation of CVE-2026-50292 has been identified. The vulnerability was disclosed responsibly through the oss-security mailing list with fixes already available, consistent with coordinated disclosure. No entries in CISA's Known Exploited Vulnerabilities catalog reference this CVE.
However, several factors suggest this vulnerability is likely to attract threat actor interest:
- Low attack complexity. The exploit requires only the ability to create a uinput device with a crafted
physstring, which is straightforward on systems with appropriate uaccess rules. - Deterministic execution. The
REMOVE_CMDmechanism provides reliable root code execution, not a probabilistic memory corruption exploit that might fail or crash the system. - Existing precedent. A September 2024 threat intelligence report documented Linux malware exploiting udev rules for persistence and privilege escalation, confirming that udev is a known and actively targeted attack surface.
- Large vulnerable population. Systems with Steam installed via
steam-devicesrepresent a large desktop population that may not receive timely security updates.
The most likely threat actor profiles include local privilege escalation toolchain developers, insider threat actors on shared Linux desktops, and APT groups targeting developer workstations that have established local access and need reliable privilege escalation.
Broader Implications
This vulnerability highlights an interesting architectural concern: the REMOVE_CMD udev property provides a direct execution path with root privileges, and its existence as a settable property through imported output makes it a high value target for injection attacks. Hardening udev itself to restrict which properties can be set through imported output would provide a second layer of defense beyond sanitizing individual data sources.
The convergence of three libinput CVEs in 2026 also points to a need for holistic security review of the project's architecture. The Lua plugin system (CVE-2026-35093, CVE-2026-35094) and the udev helper code (CVE-2026-50292) both represent instances where data from external sources was processed without sufficient sanitization before being used in security sensitive contexts. Organizations relying on libinput should consider re-evaluating the project's security posture rather than treating each disclosure as an isolated event.
References
- NVD: CVE-2026-50292
- oss-security: libinput-device-group unescaped phys output can inject udev properties
- GitLab Commit: libinput-device-group: sanitize phys before printing it (76f0d8a7)
- GitLab Issue: libinput-device-group unescaped phys output (#1296)
- libinput Project Page: freedesktop.org
- CWE-93: Improper Neutralization of CRLF Sequences
- Arch Linux: libinput 1.31.3-1 Package
- Phoronix: Libinput Hit By Worrying Security Issues With Its Lua Plugins
- NVD: CVE-2026-35093
- SUSE: CVE-2026-35093
- SUSE: CVE-2026-35094
- Red Hat Bugzilla: CVE-2026-35094
- SISA: New Linux Malware Exploits Udev Rules
- CISA: Known Exploited Vulnerabilities Catalog
- Repology: libinput Package Versions



