libinput 1.30.3 is now available. Users are strongly advised to update from previous 1.30.x versions.
This release fixes two security issues, one rather severe one.
CVE-2026-35093: Sandbox escape in libinput plugins
The libinput plugin system provides a sandbox to any Lua plugins to restrict
them from any IO other than log messages. However, a bug in the plugin system
loader allowed for precompiled byte-code to be loaded. This bytecode is not
verified at runtime and thus not restricted by the sandbox. This allows a
plugin to do basically anything Lua allows, at the process' privilege level. An
attacker that manages to deploy such a Lua plugin may thus have unrestricted
access to the machine (depending on user privileges).
CVE-2026-35094: Use after free allowing information leak in libinput plugins
This issue is less severe: a plugin that called Lua's __gc() function
left a dangling pointer in the device's name which could be printed to the log.
Depending on the value at the memory location, this could lead to sensitive
information being exposed.
Affected versions:
libinput 1.30.0 and newer, however lua plugins are only loaded if the
compositor (or another caller) loads plugins. This is currently the case for
GNOME 50's mutter, KWin (git) and Niri (git). wlroots, sway and river are not
affected.
Mutter and Niri also load plugin files from XDG_CONFIG_HOME/libinput/plugins in
addition to the {/etc,/usr/share}/libinput/plugins paths.
Distributions affected: Fedora 43 and Fedora 44. Fedora enables the
-Dautoload-plugins meson option which causes plugins to be loaded regardless of
compositor support. Arch, OpenSuSE, Ubuntu, Debian and NixOS do not set this
flag and/or are on older versions of libinput.
This is not an exhaustive list of distributions or compositors. There are a
number of utilities that use libinput and may be affected by this, in
particular those run as root.
Many thanks to Koen Tange for finding these issues.
As usual, the git shortlog is below
Peter Hutterer (3):
lua: separate the API from the metatables
lua: force text mode for loading plugins
libinput 1.30.3
signature.asc
Description: PGP signature
