CVE-2026-50292

HIGH

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

CVSS v3.1 Score

7.4
HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
LOCAL
Complexity
HIGH
Privileges
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Published: 6/4/2026Modified: 6/5/2026

Related Intelligence (2)

CRITICALZero Day

Patch Tuesday - June 2026

Microsoft is publishing 200 vulnerabilities on June 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild for any of these vulnerabilities, and is aware of public disclosure for three. This is similar to last month’s Patch Tuesday, however several of last month’s vulnerabilities ended up on CISA KEV in the days following their publication. So far this month, Microsoft has provide

CVE-2026-33825CVE-2026-45585
Rapid7
CRITICALVulnerability

NVD CRITICAL: CVE-2026-50292 — In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unesca...

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

CVE-2026-50292
NIST NVD

References (4)

https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55Patchhttps://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296Vendor Advisoryhttps://www.openwall.com/lists/oss-security/2026/06/04/5Mailing ListPatchhttps://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296Vendor Advisory