{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lua/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35093"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libinput","code-injection","lua","cve-2026-35093"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35093 describes a code injection vulnerability within the libinput library. This flaw allows a local attacker with the ability to write files to specific system or user configuration directories to bypass security restrictions. By placing a maliciously crafted Lua bytecode file in these directories, an attacker can inject and execute arbitrary code. The injected code runs with the same privileges as the application using libinput, often a graphical compositor. This vulnerability was reported on April 1, 2026, and impacts systems where libinput is used to handle input devices. Successful exploitation can lead to significant compromise of the affected system, allowing attackers to perform actions such as keylogging or further escalating privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system with the ability to write files to the filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a system or user configuration directory that libinput reads Lua bytecode files from.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Lua bytecode file designed to execute arbitrary code. This file exploits the vulnerability in libinput\u0026rsquo;s bytecode parsing.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious Lua bytecode file into the identified configuration directory.\u003c/li\u003e\n\u003cli\u003eThe graphical compositor or other application using libinput loads and parses the malicious Lua bytecode file.\u003c/li\u003e\n\u003cli\u003eThe vulnerability in libinput is triggered, causing the malicious code within the bytecode file to be executed.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the same privileges as the application using libinput, gaining control over the compositor.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to monitor keyboard input, potentially stealing credentials or other sensitive information, and exfiltrates data to an external server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35093 allows a local attacker to execute arbitrary code with elevated privileges. This can lead to the compromise of sensitive data, such as keystrokes and credentials, as well as the potential for further system compromise. Given that libinput is used by many graphical compositors and other applications that handle input devices, a successful attack could impact a large number of systems. The impact includes data theft, privilege escalation, and the installation of persistent backdoors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Lua Bytecode File Creation\u003c/code\u003e to identify the creation of suspicious Lua bytecode files in configuration directories (logsource: \u003ccode\u003efile_event\u003c/code\u003e, rule title: \u003ccode\u003eDetect Suspicious Lua Bytecode File Creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in libinput configuration directories for files with the \u003ccode\u003e.lua\u003c/code\u003e extension using file integrity monitoring tools.\u003c/li\u003e\n\u003cli\u003eApply any available patches for libinput to address CVE-2026-35093 as soon as they are released.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T14:16:57Z","date_published":"2026-04-01T14:16:57Z","id":"/briefs/2026-04-libinput-code-injection/","summary":"A local attacker can exploit CVE-2026-35093 in libinput by placing a specially crafted Lua bytecode file in configuration directories, allowing arbitrary code execution with the privileges of the application using libinput.","title":"Libinput Code Injection Vulnerability via Malicious Lua Bytecode (CVE-2026-35093)","url":"https://feed.craftedsignal.io/briefs/2026-04-libinput-code-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Contour"],"_cs_severities":["high"],"_cs_tags":["contour","lua","code-injection","httpproxy","cve-2026-41246"],"_cs_type":"advisory","_cs_vendors":["Project Contour"],"content_html":"\u003cp\u003eProject Contour is susceptible to Lua code injection within its cookie rewriting functionality. The vulnerability arises from insufficient sanitization when user-controlled values are interpolated into Lua source code using Go\u0026rsquo;s \u003ccode\u003etext/template\u003c/code\u003e. This affects Contour versions 1.19.0 through 1.33.3. An attacker with the ability to create or modify \u003ccode\u003eHTTPProxy\u003c/code\u003e resources can inject arbitrary Lua code by crafting malicious values in \u003ccode\u003espec.routes[].cookieRewritePolicies[].pathRewrite.value\u003c/code\u003e or \u003ccode\u003espec.routes[].services[].cookieRewritePolicies[].pathRewrite.value\u003c/code\u003e. While the injected code executes within the attacker\u0026rsquo;s own route, the shared nature of the Envoy proxy allows for potential escalation of privileges, including reading Envoy\u0026rsquo;s xDS client credentials and causing denial of service for other tenants. This vulnerability is resolved in Contour versions v1.33.4, v1.32.5, and v1.31.6.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains RBAC permissions to create or modify \u003ccode\u003eHTTPProxy\u003c/code\u003e resources within the Contour environment.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eHTTPProxy\u003c/code\u003e resource containing a \u003ccode\u003ecookieRewritePolicies\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003ecookieRewritePolicies\u003c/code\u003e, the attacker injects Lua code into the \u003ccode\u003epathRewrite.value\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker applies the crafted \u003ccode\u003eHTTPProxy\u003c/code\u003e resource, deploying the malicious configuration to Contour.\u003c/li\u003e\n\u003cli\u003eContour, using the Envoy proxy, processes the \u003ccode\u003eHTTPProxy\u003c/code\u003e resource, interpolating the attacker-controlled value into the Lua filter.\u003c/li\u003e\n\u003cli\u003eWhen traffic is processed on the attacker\u0026rsquo;s route, the injected Lua code executes within the Envoy proxy.\u003c/li\u003e\n\u003cli\u003eThe injected Lua code attempts to read Envoy\u0026rsquo;s xDS client credentials from the filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained xDS client credentials to read all Contour xDS configuration, including TLS certificates and private keys of other tenants, or to cause a denial of service for other tenants sharing the Envoy instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploit allows attackers to execute arbitrary code within the Envoy proxy, potentially leading to credential theft and denial of service. Specifically, an attacker can steal TLS certificates and private keys of other tenants within the Contour environment. This could compromise sensitive data and disrupt services. If xDS credentials can be obtained, an attacker can then modify/exfiltrate service mesh configuration details.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Contour to version v1.33.4, v1.32.5, or v1.31.6 to remediate the Lua code injection vulnerability as described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor HTTPProxy resource creation and modification events for suspicious patterns or unexpected values in the \u003ccode\u003espec.routes[].cookieRewritePolicies[].pathRewrite.value\u003c/code\u003e and \u003ccode\u003espec.routes[].services[].cookieRewritePolicies[].pathRewrite.value\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eImplement RBAC least privilege principles to restrict access to creating and modifying \u003ccode\u003eHTTPProxy\u003c/code\u003e resources, mitigating the initial access vector required to exploit this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-contour-lua-injection/","summary":"Contour's Cookie Rewriting feature is vulnerable to Lua code injection; an attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in the `spec.routes[].cookieRewritePolicies[].pathRewrite.value` or `spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value` fields, resulting in arbitrary code execution in the Envoy proxy.","title":"Contour HTTPProxy Lua Code Injection via Cookie Path Rewrite","url":"https://feed.craftedsignal.io/briefs/2024-01-09-contour-lua-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Lua","version":"https://jsonfeed.org/version/1.1"}