How is CVE-2026-50292 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the service is required. Authentication (not-required): No account or credential is needed to trigger the vulnerability once local access to the host is established. Victim interaction (not-required): Exploitation is fully attacker-driven and does not require any action from another user or administrator. Attack complexity (info): Exploitation involves race conditions, specific memory layout dependencies, or other environmental factors that make a reliable exploit harder to construct but not impossible.

What is the impact of CVE-2026-50292?

The attacker executes arbitrary code as root on the affected host, gaining full control of the operating system. All data accessible to the root user (credentials, secrets, application data) is readable by the attacker. The attacker can modify or delete any file on the host, including system binaries, configuration, and persisted application state. The attacker can crash or destabilize any service running on the host, causing a full denial of service.

Back to search

HIGHCVE-2026-50292Published 2026-06-04Modified 2026-06-04CNA mitre

CVE-2026-50292: In libinput before 1

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: 1.30.4
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege-escalation and arbitrary code execution vulnerability in libinput, the Linux input-device handling library. An attacker with an existing foothold on the host (no network access or authentication required) can exploit unescaped physical-device output in libinput-device-group to inject malicious udev properties, which the system then processes with root privileges. Successful exploitation gives the attacker full root-level code execution on the affected host. Patched-image rebuilds at versions 1.30.4 and 1.31.3 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle libinput directly. Any image packaging a libinput version below 1.30.4 or between 1.31.0 and 1.31.3 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.4 HIGH and weighting it further against each environment's compliance policy, which can elevate routing priority for workloads with privileged host access. Triage alerts are routable to the team or inbox designated in each customer org's notification rules.

Available

Patch

A patched-image rebuild at libinput 1.30.4 or 1.31.3 becomes available on HarborGuard as soon as base images carrying the fix are published upstream. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run the configured regression suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the service is required.
AuthenticationNot required
No account or credential is needed to trigger the vulnerability once local access to the host is established.
Victim interactionNot required
Exploitation is fully attacker-driven and does not require any action from another user or administrator.
Attack complexityDetail
Exploitation involves race conditions, specific memory layout dependencies, or other environmental factors that make a reliable exploit harder to construct but not impossible.

Blast Radius

The attacker executes arbitrary code as root on the affected host, gaining full control of the operating system.
All data accessible to the root user (credentials, secrets, application data) is readable by the attacker.
The attacker can modify or delete any file on the host, including system binaries, configuration, and persisted application state.
The attacker can crash or destabilize any service running on the host, causing a full denial of service.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image found to carry an affected libinput version, with CVSS 7.4 HIGH scoring applied and triage routed according to each environment's compliance policy. Where compliance policy permits and auto-remediation is enabled, HarborGuard can rebuild the image at libinput 1.30.4 or 1.31.3, execute the configured regression tests, and open a PR against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Because this vulnerability is locally exploitable and leads to root code execution, customers who cannot immediately rebuild are advised to enforce strict pod-level privilege boundaries (no hostPID, no privileged containers) and audit which workloads mount host input devices, as a compensating control while the patched image is validated.

See how HarborGuard automates this

Fix available

1.30.41.31.3

Affected packages

freedesktop / libinput
< 1.30.4 (from 0) · < 1.31.3 (from 1.31.0)

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available