Libinput devised a Lua-based plug-in system for modifying devices/events. The Lua plug-in support was introduced last year with libinput 1.30 but unfortunately some security issues have now come to light with the implementation.
These Lua plug-in issues are all the more pressing with libinput being widely used on both X.Org and Wayland based Linux desktops for input handling.
CVE-2026-35093 was made public tonight as a sandbox escape in libinput plug-ins. A bug within libinput’s loader allowed for pre-compiled byte code to be loaded without any verification at run-time. Thus via a Lua plug-in for libinput it was possible to have unrestricted access to the system to the full potential that Lua allows. The bytecode is executed at the process’ privilege level with unrestricted system access.
CVE-2026-35094 was also made public as a use-after-free vulnerability for libinput plug-ins.
More details on these libinput security issues via today’s advisory. As a result of these disclosures, libinput 1.31.1 and libinput 1.30.3 have been released with security fixes for these vulnerabilities.
