How is CVE-2026-50265 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required. Authentication (required): A low-privilege local account is sufficient; the attacker does not need administrative credentials, but must have an authenticated session on the system. Victim interaction (not-required): No user interaction is required; the attacker can carry out the full exploit without any action from another user. Attack complexity (info): Attack complexity is high, meaning the exploit depends on environmental factors or timing conditions (such as the precise moment a uinput device is removed) that the attacker cannot fully control and may need to repeat.

What is the impact of CVE-2026-50265?

Attacker executes arbitrary code as root by abusing a REMOVE_CMD udev property triggered on device removal. Full read access to all files and secrets on the host, including credentials, private keys, and container runtime socket tokens. Full write access to the filesystem, allowing the attacker to modify binaries, install backdoors, or alter audit logs. Complete denial of service is achievable by crashing or killing any process, including the container runtime or init system.

Back to search

HIGHCVE-2026-50265Published 2026-06-05Modified 2026-06-05CNA redhat

CVE-2026-50265: Libinput: local privilege escalation via crafted uinput devices

A flaw was found in libinput. A local attacker with access to /dev/uinput can inject arbitrary udev properties through the libinput-device-group helper. This injection can lead to root code execution, for example, by exploiting REMOVE_CMD properties that are executed when a device is removed. This vulnerability allows an attacker to gain elevated privileges on the system.

CVSS v3.1: 7.0
Severity: HIGH
Fixed in: —
Affected Products: 4

HarborGuard Analysis

Synopsis

A local privilege escalation vulnerability exists in libinput, the input device handling library used on Linux systems. A local attacker who already has access to /dev/uinput can inject arbitrary udev properties through the libinput-device-group helper, including REMOVE_CMD properties that are executed as root when a device is removed. Successful exploitation gives the attacker full root-level code execution on the host. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-50265 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Red Hat advisories) within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle libinput or ship a Red Hat Enterprise Linux base layer.

Available

Triage

HarborGuard scores this CVE at 7.0 HIGH per the CVSS v3.1 rating and is capable of weighting that score against each customer environment's compliance policy, flagging affected images at the severity tier that maps to the customer's defined response SLA and routing alerts to the appropriate team inbox within the customer org.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the Red Hat advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix lands upstream. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without requiring manual intervention once the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
AuthenticationRequired
A low-privilege local account is sufficient; the attacker does not need administrative credentials, but must have an authenticated session on the system.
Victim interactionNot required
No user interaction is required; the attacker can carry out the full exploit without any action from another user.
Attack complexityDetail
Attack complexity is high, meaning the exploit depends on environmental factors or timing conditions (such as the precise moment a uinput device is removed) that the attacker cannot fully control and may need to repeat.

Blast Radius

Attacker executes arbitrary code as root by abusing a REMOVE_CMD udev property triggered on device removal.
Full read access to all files and secrets on the host, including credentials, private keys, and container runtime socket tokens.
Full write access to the filesystem, allowing the attacker to modify binaries, install backdoors, or alter audit logs.
Complete denial of service is achievable by crashing or killing any process, including the container runtime or init system.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against customer images containing libinput or an affected Red Hat Enterprise Linux base layer as soon as the advisory is ingested. Because Red Hat has not yet published a fix version, no patched-image rebuild is available at this time. HarborGuard polls the Red Hat advisory on every ingest cycle and will surface a rebuild the moment a fix is released upstream; for customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will follow automatically. While no patch exists, recommended compensating controls include restricting /dev/uinput permissions inside container workloads via seccomp or device-cgroup rules, applying a network policy that limits lateral movement from any compromised container, and auditing which images in your registry ship libinput or an RHEL base so those images can be prioritized for replacement once the fix lands.

See how HarborGuard automates this

Affected packages

Red Hat / Red Hat Enterprise Linux 10
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 8
Red Hat / Red Hat Enterprise Linux 9

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified