{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-35093/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35093"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libinput","code-injection","lua","cve-2026-35093"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35093 describes a code injection vulnerability within the libinput library. This flaw allows a local attacker with the ability to write files to specific system or user configuration directories to bypass security restrictions. By placing a maliciously crafted Lua bytecode file in these directories, an attacker can inject and execute arbitrary code. The injected code runs with the same privileges as the application using libinput, often a graphical compositor. This vulnerability was reported on April 1, 2026, and impacts systems where libinput is used to handle input devices. Successful exploitation can lead to significant compromise of the affected system, allowing attackers to perform actions such as keylogging or further escalating privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system with the ability to write files to the filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a system or user configuration directory that libinput reads Lua bytecode files from.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Lua bytecode file designed to execute arbitrary code. This file exploits the vulnerability in libinput\u0026rsquo;s bytecode parsing.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious Lua bytecode file into the identified configuration directory.\u003c/li\u003e\n\u003cli\u003eThe graphical compositor or other application using libinput loads and parses the malicious Lua bytecode file.\u003c/li\u003e\n\u003cli\u003eThe vulnerability in libinput is triggered, causing the malicious code within the bytecode file to be executed.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the same privileges as the application using libinput, gaining control over the compositor.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to monitor keyboard input, potentially stealing credentials or other sensitive information, and exfiltrates data to an external server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35093 allows a local attacker to execute arbitrary code with elevated privileges. This can lead to the compromise of sensitive data, such as keystrokes and credentials, as well as the potential for further system compromise. Given that libinput is used by many graphical compositors and other applications that handle input devices, a successful attack could impact a large number of systems. The impact includes data theft, privilege escalation, and the installation of persistent backdoors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Lua Bytecode File Creation\u003c/code\u003e to identify the creation of suspicious Lua bytecode files in configuration directories (logsource: \u003ccode\u003efile_event\u003c/code\u003e, rule title: \u003ccode\u003eDetect Suspicious Lua Bytecode File Creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in libinput configuration directories for files with the \u003ccode\u003e.lua\u003c/code\u003e extension using file integrity monitoring tools.\u003c/li\u003e\n\u003cli\u003eApply any available patches for libinput to address CVE-2026-35093 as soon as they are released.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T14:16:57Z","date_published":"2026-04-01T14:16:57Z","id":"/briefs/2026-04-libinput-code-injection/","summary":"A local attacker can exploit CVE-2026-35093 in libinput by placing a specially crafted Lua bytecode file in configuration directories, allowing arbitrary code execution with the privileges of the application using libinput.","title":"Libinput Code Injection Vulnerability via Malicious Lua Bytecode (CVE-2026-35093)","url":"https://feed.craftedsignal.io/briefs/2026-04-libinput-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-35093","version":"https://jsonfeed.org/version/1.1"}