https://feed.craftedsignal.io/tags/lua/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 01 Apr 2026 14:16:57 +0000https://feed.craftedsignal.io/briefs/2026-04-libinput-code-injection/Wed, 01 Apr 2026 14:16:57 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-libinput-code-injection/A local attacker can exploit CVE-2026-35093 in libinput by placing a specially crafted Lua bytecode file in configuration directories, allowing arbitrary code execution with the privileges of the application using libinput.CVE-2026-35093 describes a code injection vulnerability within the libinput library. This flaw allows a local attacker with the ability to write files to specific system or user configuration directories to bypass security restrictions. By placing a maliciously crafted Lua bytecode file in these directories, an attacker can inject and execute arbitrary code. The injected code runs with the same privileges as the application using libinput, often a graphical compositor. This vulnerability was reported on April 1, 2026, and impacts systems where libinput is used to handle input devices. Successful exploitation can lead to significant compromise of the affected system, allowing attackers to perform actions such as keylogging or further escalating privileges.

Attack Chain

1. The attacker gains initial access to the target system with the ability to write files to the filesystem.
2. The attacker identifies a system or user configuration directory that libinput reads Lua bytecode files from.
3. The attacker crafts a malicious Lua bytecode file designed to execute arbitrary code. This file exploits the vulnerability in libinput’s bytecode parsing.
4. The attacker places the malicious Lua bytecode file into the identified configuration directory.
5. The graphical compositor or other application using libinput loads and parses the malicious Lua bytecode file.
6. The vulnerability in libinput is triggered, causing the malicious code within the bytecode file to be executed.
7. The attacker’s code executes with the same privileges as the application using libinput, gaining control over the compositor.
8. The attacker leverages the elevated privileges to monitor keyboard input, potentially stealing credentials or other sensitive information, and exfiltrates data to an external server.

Impact

Successful exploitation of CVE-2026-35093 allows a local attacker to execute arbitrary code with elevated privileges. This can lead to the compromise of sensitive data, such as keystrokes and credentials, as well as the potential for further system compromise. Given that libinput is used by many graphical compositors and other applications that handle input devices, a successful attack could impact a large number of systems. The impact includes data theft, privilege escalation, and the installation of persistent backdoors.

Recommendation

• Deploy the Sigma rule Detect Suspicious Lua Bytecode File Creation to identify the creation of suspicious Lua bytecode files in configuration directories (logsource: file_event, rule title: Detect Suspicious Lua Bytecode File Creation).
• Monitor file creation events in libinput configuration directories for files with the .lua extension using file integrity monitoring tools.
• Apply any available patches for libinput to address CVE-2026-35093 as soon as they are released.

]]>highadvisorylibinputcode-injectionluacve-2026-35093https://feed.craftedsignal.io/briefs/2024-01-09-contour-lua-injection/Tue, 09 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-09-contour-lua-injection/Contour's Cookie Rewriting feature is vulnerable to Lua code injection; an attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in the `spec.routes[].cookieRewritePolicies[].pathRewrite.value` or `spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value` fields, resulting in arbitrary code execution in the Envoy proxy.Project Contour is susceptible to Lua code injection within its cookie rewriting functionality. The vulnerability arises from insufficient sanitization when user-controlled values are interpolated into Lua source code using Go’s text/template. This affects Contour versions 1.19.0 through 1.33.3. An attacker with the ability to create or modify HTTPProxy resources can inject arbitrary Lua code by crafting malicious values in spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value. While the injected code executes within the attacker’s own route, the shared nature of the Envoy proxy allows for potential escalation of privileges, including reading Envoy’s xDS client credentials and causing denial of service for other tenants. This vulnerability is resolved in Contour versions v1.33.4, v1.32.5, and v1.31.6.

Attack Chain

1. An attacker gains RBAC permissions to create or modify HTTPProxy resources within the Contour environment.
2. The attacker crafts a malicious HTTPProxy resource containing a cookieRewritePolicies section.
3. Within the cookieRewritePolicies, the attacker injects Lua code into the pathRewrite.value field.
4. The attacker applies the crafted HTTPProxy resource, deploying the malicious configuration to Contour.
5. Contour, using the Envoy proxy, processes the HTTPProxy resource, interpolating the attacker-controlled value into the Lua filter.
6. When traffic is processed on the attacker’s route, the injected Lua code executes within the Envoy proxy.
7. The injected Lua code attempts to read Envoy’s xDS client credentials from the filesystem.
8. The attacker uses the obtained xDS client credentials to read all Contour xDS configuration, including TLS certificates and private keys of other tenants, or to cause a denial of service for other tenants sharing the Envoy instance.

Impact

A successful exploit allows attackers to execute arbitrary code within the Envoy proxy, potentially leading to credential theft and denial of service. Specifically, an attacker can steal TLS certificates and private keys of other tenants within the Contour environment. This could compromise sensitive data and disrupt services. If xDS credentials can be obtained, an attacker can then modify/exfiltrate service mesh configuration details.

Recommendation

• Upgrade Contour to version v1.33.4, v1.32.5, or v1.31.6 to remediate the Lua code injection vulnerability as described in the overview.
• Monitor HTTPProxy resource creation and modification events for suspicious patterns or unexpected values in the spec.routes[].cookieRewritePolicies[].pathRewrite.value and spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value fields.
• Implement RBAC least privilege principles to restrict access to creating and modifying HTTPProxy resources, mitigating the initial access vector required to exploit this vulnerability.

]]>highadvisorycontourluacode-injectionhttpproxycve-2026-41246