new file mode 100644
@@ -0,0 +1,79 @@
+From 76f0d8a7f57e2868882864b4611281f12f704b55 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 1 Jun 2026 10:48:24 +1000
+Subject: [PATCH] libinput-device-group: sanitize phys before printing it
+
+A malicious uinput device could set the phys value (via UI_SET_PHYS)
+to contain a '\n'. When the value is printed as part of the device group
+the udev rules will interpret it as separate property.
+
+Depending on the property this can cause local privilege escalation.
+
+Closes #1296
+
+Found-by: Csome
+Part-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1487>
+
+CVE: CVE-2026-50292
+Upstream-Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55]
+
+Signed-off-by: Omkar Patil <OmkarAbaji.Patil@windriver.com>
+---
+ udev/libinput-device-group.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/udev/libinput-device-group.c b/udev/libinput-device-group.c
+index cdb38c0b..f9188406 100644
+--- a/udev/libinput-device-group.c
++++ b/udev/libinput-device-group.c
+@@ -107,7 +107,8 @@ wacom_handle_ekr(struct udev_device *device,
+
+ udev_list_entry_foreach(entry, udev_enumerate_get_list_entry(e)) {
+ struct udev_device *d;
+- const char *path, *phys;
++ _autofree_ char *phys = NULL;
++ const char *path;
+ const char *pidstr, *vidstr;
+ int pid, vid, dist;
+
+@@ -122,7 +123,7 @@ wacom_handle_ekr(struct udev_device *device,
+
+ vidstr = udev_device_get_property_value(d, "ID_VENDOR_ID");
+ pidstr = udev_device_get_property_value(d, "ID_MODEL_ID");
+- phys = udev_device_get_sysattr_value(d, "phys");
++ phys = str_sanitize(udev_device_get_sysattr_value(d, "phys"));
+
+ if (vidstr && pidstr && phys && safe_atoi_base(vidstr, &vid, 16) &&
+ safe_atoi_base(pidstr, &pid, 16) && vid == VENDOR_ID_WACOM &&
+@@ -134,7 +135,7 @@ wacom_handle_ekr(struct udev_device *device,
+ best_dist = dist;
+
+ free(*phys_attr);
+- *phys_attr = safe_strdup(phys);
++ *phys_attr = steal(&phys);
+ }
+ }
+
+@@ -151,7 +152,8 @@ main(int argc, char **argv)
+ int rc = 1;
+ struct udev *udev = NULL;
+ struct udev_device *device = NULL;
+- const char *syspath, *phys = NULL;
++ _autofree_ char *phys = NULL;
++ const char *syspath = NULL;
+ const char *product;
+ int bustype, vendor_id, product_id, version;
+ char group[1024];
+@@ -175,8 +177,7 @@ main(int argc, char **argv)
+ * bit and use the remainder as device group identifier */
+ while (device != NULL) {
+ struct udev_device *parent;
+-
+- phys = udev_device_get_sysattr_value(device, "phys");
++ phys = str_sanitize(udev_device_get_sysattr_value(device, "phys"));
+ if (phys)
+ break;
+
+--
+GitLab
+
@@ -16,6 +16,7 @@ SRC_URI = "git://gitlab.freedesktop.org/libinput/libinput.git;protocol=https;bra
file://CVE-2026-35093.patch \
file://CVE-2026-35094.patch \
file://run-ptest \
+ file://CVE-2026-50292.patch \
"
SRCREV = "042c5e6fd9cc910307027a1522453794b29f2c72"
In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution Reference: [https://nvd.nist.gov/vuln/detail/CVE-2026-50292] Signed-off-by: Omkar Patil <OmkarAbaji.Patil@windriver.com> --- .../wayland/libinput/CVE-2026-50292.patch | 79 +++++++++++++++++++ .../wayland/libinput_1.30.2.bb | 1 + 2 files changed, 80 insertions(+) create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2026-50292.patch