PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50292 Freedesktop CVE debrief

CVE-2026-50292 is a HIGH severity vulnerability in libinput, a library used for handling input devices. The vulnerability exists in versions before 1.30.4 and 1.31.x before 1.31.3. An unescaped phys output in libinput-device-group can inject udev properties, potentially leading to arbitrary root code execution.

Vendor
Freedesktop
Product
Libinput
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-05
Advisory published
2026-06-04
Advisory updated
2026-06-05

Who should care

Users of libinput, particularly those using versions before 1.30.4 or 1.31.x before 1.31.3, should be aware of this vulnerability. This includes Linux distributions and other projects that utilize libinput for input device handling.

Technical summary

The vulnerability is caused by an unescaped phys output in libinput-device-group, which can inject udev properties. This can lead to arbitrary root code execution. The CVSS score for this vulnerability is 7.4, indicating a HIGH severity.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to libinput version 1.30.4 or later, or 1.31.3 or later.
  • Apply patches as described in [ref-4](https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55) and [ref-6](https://www.openwall.com/lists/oss-security/2026/06/04/5).

Evidence notes

The CVE record [cve-org] and NVD detail [nvd] provide official information about this vulnerability. Additional references include [ref-4], [ref-5], and [ref-6].

Official resources

CVE-2026-50292 was published on 2026-06-04T18:16:32.530Z and modified on 2026-06-05T21:06:28.800Z.