Amazon Linux 2 Security Advisory: ALAS2-2026-3370
Advisory Released Date: 2026-06-22
Advisory Updated Date: 2026-06-22
A flaw was found in libinput. A local attacker with access to /dev/uinput can inject arbitrary udev properties through the libinput-device-group helper. This injection can lead to root code execution, for example, by exploiting REMOVE_CMD properties that are executed when a device is removed. This vulnerability allows an attacker to gain elevated privileges on the system. (CVE-2026-50265)
In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution (CVE-2026-50292)
Affected Packages:
libinput
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update libinput or yum update --advisory ALAS2-2026-3370 to update your system.
aarch64:
libinput-1.8.4-2.amzn2.0.1.aarch64
libinput-devel-1.8.4-2.amzn2.0.1.aarch64
libinput-debuginfo-1.8.4-2.amzn2.0.1.aarch64
i686:
libinput-1.8.4-2.amzn2.0.1.i686
libinput-devel-1.8.4-2.amzn2.0.1.i686
libinput-debuginfo-1.8.4-2.amzn2.0.1.i686
src:
libinput-1.8.4-2.amzn2.0.1.src
x86_64:
libinput-1.8.4-2.amzn2.0.1.x86_64
libinput-devel-1.8.4-2.amzn2.0.1.x86_64
libinput-debuginfo-1.8.4-2.amzn2.0.1.x86_64