CVE-2026-50292: In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution
Overview
- Severity
- High (CVSS 7.4)
- CVSS Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Exploit Status
- Not Exploited
- Patch Tuesday
- 2026-Jun
- Released
- 2026-06-06
- EPSS Score
- 0.02% (percentile: 5.9%)
Affected Products (1)
Open Source Software
- azl3 libinput 1.25.0-1 on Azure Linux 3.0
Revision History
- 2026-06-06: Information published.