Debian libinput Vulnerabilities Lead to Local Privilege Escalation Risks

Two vulnerabilities in the Debian libinput package have been identified, affecting local users. CVE-2022-1215, published on 2022-05-31, allows exploitation of evdev devices to execute arbitrary code. CVE-2026-50292, published on 2026-06-04, involves insufficient sanitization of device properties, leading to local privilege escalation. Debian 11 bullseye has patched these issues in version 1.16.4-3+deb11u1, while versions for the oldstable (bookworm) and stable (trixie) distributions have also received updates. Users are advised to upgrade their libinput packages to mitigate these risks. The vulnerabilities could potentially allow malicious local users to gain elevated privileges in specific setups.

Key Points: • CVE-2022-1215 allows arbitrary code execution via evdev devices. • CVE-2026-50292 leads to local privilege escalation due to poor device property sanitization. • Debian has released patches for affected versions; users should upgrade immediately.