CVE-2026-50292

Severity CVSS v4.0:
Pending analysis
Type:
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Publication date:
04/06/2026
Last modified:
05/06/2026

Description

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:freedesktop:libinput:*:*:*:*:*:*:*:* 1.30.4 (excluding)
cpe:2.3:a:freedesktop:libinput:*:*:*:*:*:*:*:* 1.31.0 (including) 1.31.3 (excluding)