#VU62452 Format string error in libinput
Vulnerability identifier: #VU62452
Vulnerability risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-134
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
libinput
Other software /
Other software solutions
Vendor: Freedesktop.org
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a format string error during logging operation. A local user with ability to control the device name, e.g. /dev/uinput or Bluetooth devices can trigger a format string error and execute arbitrary code on the system with elevated privileges.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
libinput: 1.20.0, 1.19.0 - 1.19.901, 1.18.0 - 1.18.901, 1.17.0 - 1.17.901, 1.16.0 - 1.16.902, 1.15.0 - 1.15.902, 1.14.0 - 1.14.901, 1.13.0 - 1.13.902, 1.12.0 - 1.12.902, 1.11.0 - 1.11.903, 1.10.0 - 1.10.902
External links
http://gitlab.freedesktop.org/libinput/libinput/-/issues/752
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
