CVE-2026-35094 is a vulnerability identified in the libinput library used by Red Hat Enterprise Linux 10. The flaw arises from a dangling pointer dereference triggered during the garbage collection cleanup of Lua plugins loaded by the compositor. Specifically, when a Lua plugin file is deployed in certain system directories and loaded, the garbage collector calls a cleanup function that leaves behind an expired pointer. This pointer may then be printed to system logs, potentially exposing sensitive memory contents if the memory location is reused. Exploitation requires that Lua plugins are enabled in libinput and that the compositor loads these plugins. An attacker must have local privileges sufficient to place a Lua plugin file in the targeted directories, but no user interaction is needed to trigger the vulnerability. The vulnerability impacts confidentiality by potentially leaking sensitive data but does not affect integrity or availability. The CVSS v3.1 base score is 3.3, reflecting low severity due to limited impact and exploitation complexity. No known exploits have been reported in the wild, and no patches are currently linked, though Red Hat is expected to release fixes. This vulnerability highlights risks associated with plugin management and memory handling in system libraries that interface with graphical environments.

The primary impact of CVE-2026-35094 is potential information disclosure through system logs, which may contain sensitive data from memory locations referenced by the dangling pointer. While the confidentiality impact is limited, exposure of sensitive information could aid attackers in further reconnaissance or privilege escalation. The vulnerability requires local access and the ability to deploy Lua plugins, limiting the attack surface to insiders or attackers who have already compromised a low-privilege account. There is no impact on system integrity or availability, so the threat does not directly cause system disruption or data modification. However, organizations relying on Red Hat Enterprise Linux 10 with enabled Lua plugins in libinput, especially in environments with sensitive graphical sessions, could face increased risk of data leakage. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to prevent future exploitation.

To mitigate CVE-2026-35094, organizations should first verify if Lua plugin support is enabled in libinput and whether the compositor loads such plugins. If Lua plugins are not required, disabling this feature can eliminate the attack vector. Restrict write permissions on system directories where Lua plugins are loaded to trusted administrators only, preventing unauthorized plugin deployment. Monitor system logs for unusual entries that may indicate exploitation attempts involving expired pointers. Apply patches from Red Hat promptly once they become available. Additionally, implement strict local access controls and auditing to detect and prevent unauthorized file placements. Employ runtime protections such as memory safety tools or hardened garbage collection mechanisms if feasible. Regularly review and update security policies governing plugin management and local privilege assignments to minimize risk.