{"id":230268,"date":"2026-04-02T00:00:00","date_gmt":"2026-04-02T04:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/02\/libinput-hit-by-worrying-security-issues-with-its-lua-plug-in-system\/"},"modified":"2026-04-02T01:55:08","modified_gmt":"2026-04-02T05:55:08","slug":"libinput-hit-by-worrying-security-issues-with-its-lua-plug-in-system","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/02\/libinput-hit-by-worrying-security-issues-with-its-lua-plug-in-system\/","title":{"rendered":"Libinput Hit By Worrying Security Issues With Its Lua Plug-In System"},"content":{"rendered":"<p><a href=\"https:\/\/www.phoronix.com\/news\/Libinput-Lua-Security-Issues\">Libinput Hit By Worrying Security Issues With Its Lua Plug-In System<\/a><\/p>\n<p><a href=\"https:\/\/www.phoronix.com\/news\/Libinput-Lua-Security-Issues\">https:\/\/www.phoronix.com\/news\/Libinput-Lua-Security-Issues<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-02 00:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.phoronix.com\">www.phoronix.com<\/a><\/p>\n<p>Libinput devised a Lua-based plug-in system for modifying devices\/events. The Lua plug-in support was introduced last year with libinput 1.30 but unfortunately some security issues have now come to light with the implementation.<\/p>\n<p>These Lua plug-in issues are all the more pressing with libinput being widely used on both X.Org and Wayland based Linux desktops for input handling.<br \/>\n<\/p>\n<p align=\"center\"><img decoding=\"async\" src=\"https:\/\/www.phoronix.net\/image.php?id=2026&#038;image=linux_input_med\" alt=\"input devices on Linux\"\/><\/p>\n<p>CVE-2026-35093 was made public tonight as a sandbox escape in libinput plug-ins. A bug within libinput&#8217;s loader allowed for pre-compiled byte code to be loaded without any verification at run-time. Thus via a Lua plug-in for libinput it was possible to have unrestricted access to the system to the full potential that Lua allows. The bytecode is executed at the process&#8217; privilege level with unrestricted system access.<\/p>\n<p>CVE-2026-35094 was also made public as a use-after-free vulnerability for libinput plug-ins.\n<\/p>\n<p>More details on these libinput security issues via today&#8217;s advisory. As a result of these disclosures, libinput 1.31.1 and libinput 1.30.3 have been released with security fixes for these vulnerabilities.<\/p>\n<p><a href=\"https:\/\/www.phoronix.com\/news\/Libinput-Lua-Security-Issues\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Libinput Hit By Worrying Security Issues With Its Lua Plug-In System https:\/\/www.phoronix.com\/news\/Libinput-Lua-Security-Issues Publish Date: 2026-04-02&#8230;<\/p>\n","protected":false},"author":1,"featured_media":230269,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.phoronix.net\/image.php?id=2026&image=linux_input","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,71,57,27],"class_list":["post-230268","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230268"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=230268"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230268\/revisions"}],"predecessor-version":[{"id":230270,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230268\/revisions\/230270"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/230269"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=230268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=230268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=230268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}