Nixpkgs security tracker

Dismissed

Permalink CVE-2026-35094

3.3 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 1 month, 3 weeks ago by @LeSuisse Activity log

Created suggestion 1 month, 3 weeks ago
@LeSuisse ignored
6 packages
- gebaar-libinput
- libinput-gestures
- xf86inputlibinput
- xf86-input-libinput
- xlibinput-calibrator
- xorg.xf86inputlibinput
1 month, 3 weeks ago
@LeSuisse dismissed 1 month, 3 weeks ago

Libinput: libinput: information disclosure via dangling pointer in lua plugin handling

A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor.

References

https://access.redhat.com/security/cve/CVE-2026-35094 vdb-entryx_refsource_REDHAT
RHBZ#2453840 issue-trackingx_refsource_REDHAT
https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1272

Affected products

libinput

Matching in nixpkgs

pkgs.libinput

Handles input devices in Wayland compositors and provides a generic X.Org input driver

nixos-unstable 1.29.2
- nixpkgs-unstable 1.29.2
- nixos-unstable-small 1.29.2
nixos-25.11 1.29.2
- nixos-25.11-small 1.29.2
- nixpkgs-25.11-darwin 1.29.2

Ignored packages (6)

pkgs.gebaar-libinput

Gebaar, A Super Simple WM Independent Touchpad Gesture Daemon for libinput

nixos-unstable 0.0.5
- nixpkgs-unstable 0.0.5
- nixos-unstable-small 0.0.5
nixos-25.11 0.0.5
- nixos-25.11-small 0.0.5
- nixpkgs-25.11-darwin 0.0.5

pkgs.libinput-gestures

Gesture mapper for libinput

nixos-unstable 2.79
- nixpkgs-unstable 2.79
- nixos-unstable-small 2.79
nixos-25.11 2.79
- nixos-25.11-small 2.79
- nixpkgs-25.11-darwin 2.79

pkgs.xf86inputlibinput

libinput-based input driver for the Xorg X server

nixos-unstable 1.5.0
- nixpkgs-unstable 1.5.0
- nixos-unstable-small 1.5.0

pkgs.xf86-input-libinput

libinput-based input driver for the Xorg X server

nixos-unstable 1.5.0
- nixpkgs-unstable 1.5.0
- nixos-unstable-small 1.5.0

pkgs.xlibinput-calibrator

Touch calibrator for libinput

nixos-unstable 0.11
- nixpkgs-unstable 0.11
- nixos-unstable-small 0.11
nixos-25.11 0.11
- nixos-25.11-small 0.11
- nixpkgs-25.11-darwin 0.11

pkgs.xorg.xf86inputlibinput

None

nixos-25.11 1.5.0
- nixos-25.11-small 1.5.0
- nixpkgs-25.11-darwin 1.5.0

Package maintainers

@codyopel Cody Opel <codyopel@gmail.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>

Not impacted

> Versions affected: libinput 1.31.0, libinput 1.30.[0-2]

Suggestion detail