Home

Description

A flaw was found in libinput. A local attacker with access to /dev/uinput can inject arbitrary udev properties through the libinput-device-group helper. This injection can lead to root code execution, for example, by exploiting REMOVE_CMD properties that are executed when a device is removed. This vulnerability allows an attacker to gain elevated privileges on the system.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-05 | Updated 2026-06-05 | Assigner redhat




HIGH: 7.0CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-06-05:Reported to Red Hat.
2026-06-05:Made public.

References

www.openwall.com/lists/oss-security/2026/06/04/16

access.redhat.com/security/cve/CVE-2026-50265 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2485390 (RHBZ#2485390) issue-tracking

gitlab.freedesktop.org/libinput/libinput/-/work_items/1296

cve.org (CVE-2026-50265)

nvd.nist.gov (CVE-2026-50265)

Download JSON