The SUSE researchers tracked as CVE-2025-66005 and CVE-2025-14338, which affect InputPlumber versions before v0.69.0 and stem from inadequate D-Bus authorization mechanisms.
InputPlumber combines Linux input devices into virtual input devices and runs with full root privileges, making these flaws particularly dangerous.
The vulnerabilities allow any user on the system, including low-privilege accounts, to access InputPlumber’s D-Bus service without authentication.
| CVE ID | Issue | Affected Versions | Impact |
|---|---|---|---|
| CVE-2025-66005 | Missing authorization in D-Bus interface | < v0.63.0 | DoS, info leak, privilege escalation |
| CVE-2025-14338 | Polkit auth disabled + auth race condition | < v0.69.0 | DoS, info leak, privilege escalation |
UI Input Injection: Malicious actors can create virtual keyboard devices and inject keystrokes into active user sessions.
This could lead to arbitrary code execution in the context of the currently logged-in user, compromising their session and data.
Denial-of-Service: The CreateCompositeDevice method accepts file paths from clients, allowing attackers to trigger memory exhaustion by passing special files such as /dev/zero.
Information Disclosure: The same method can perform file existence tests and leak sensitive information from files normally inaccessible to low-privilege users, such as /root/.bash_history.
The vulnerabilities primarily affect Linux gaming systems running InputPlumber, including SteamOS. Valve has released SteamOS 3.7.20, which includes the InputPlumber v0.69.0 fix.
Upstream developers have addressed most issues by switching to proper Polkit authentication, enabling authorization by default, and applying systemd hardening.
However, some D-Bus API improvements that use file descriptors instead of pathnames remain unmerged.
SUSE researchers advise system administrators to immediately update to InputPlumber v0.69.0 or later, especially on gaming systems and SteamOS installations.
The coordinated disclosure process between SUSE security researchers and InputPlumber developers ensured fixes were available before public disclosure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical InputPlumber Vulnerabilities Allows UI Input Injection and Denial-of-Service appeared first on Cyber Security News.
Forza Horizon 6 suffered a significant leak after the entire game was reportedly made available…
May 10, 2026 Imagine if the biggest, most influential businesses in this country came together…
Crimson Desert developer Pearl Abyss has released this week’s update as promised, and it adds…
It took nearly 50 years. WKRP in Cincinnati is no longer just a TV sitcom.…
The Mountain Home Area Chamber of Commerce hosted its 2026 Four-Person Scramble Golf Tournament Friday…
Growing up and spending all of his 44-years in Lead Hill and living on the…
This website uses cookies.