CVE-2026-35093 is a critical vulnerability identified in the libinput library used by Red Hat Enterprise Linux 10. The flaw arises from improper control over the generation and execution of code, specifically involving Lua bytecode files. An attacker with local access can place a maliciously crafted Lua bytecode file into certain system or user configuration directories that libinput processes. Because libinput is used by programs such as graphical compositors, the injected code executes with the same privileges as these programs, effectively bypassing security restrictions. This can lead to unauthorized code execution, allowing attackers to monitor keyboard inputs, potentially capturing sensitive information such as passwords or encryption keys, and send this data to external locations. The vulnerability has a CVSS 3.1 score of 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and requiring only low privileges but no user interaction. While no exploits are currently known in the wild, the vulnerability's nature and impact make it a significant threat to affected systems. The flaw underscores the risks of insufficient validation and control over code execution paths within system libraries handling user or system configuration files.

The impact of CVE-2026-35093 is substantial for organizations running Red Hat Enterprise Linux 10, particularly those relying on graphical compositors or other programs interfacing with libinput. Successful exploitation allows local attackers to execute arbitrary code with the privileges of the targeted program, potentially leading to full compromise of user sessions. Confidentiality is at high risk due to the ability to monitor keyboard inputs, which can expose credentials, personal data, and other sensitive information. Integrity and availability are also affected, as attackers can manipulate system behavior or cause denial of service. This vulnerability could facilitate lateral movement within networks if attackers gain initial local access, increasing the overall risk profile. Organizations in sectors with high security requirements, such as finance, government, and critical infrastructure, face elevated risks. The absence of known exploits in the wild provides a window for proactive mitigation, but the vulnerability’s characteristics demand urgent attention to prevent future attacks.

To mitigate CVE-2026-35093, organizations should immediately apply any patches or updates provided by Red Hat for libinput and related components. In the absence of patches, restrict write permissions to system and user configuration directories processed by libinput to trusted users only, preventing unauthorized placement of Lua bytecode files. Employ file integrity monitoring to detect unauthorized changes in these directories. Limit local user privileges to the minimum necessary, reducing the pool of potential attackers who can exploit this vulnerability. Additionally, consider isolating graphical compositor processes using sandboxing or containerization techniques to limit the impact of code execution. Monitor system logs and use endpoint detection tools to identify suspicious activity related to libinput or graphical compositors. Educate system administrators about the risk and ensure that local access controls are enforced rigorously. Finally, maintain a robust incident response plan to quickly address any exploitation attempts.