Essential vulnerabilities in InputPlumber, a Linux enter machine utility utilized in SteamOS, might enable attackers to inject UI inputs and trigger denial-of-service situations on affected programs.
The SUSE researchers tracked as CVE-2025-66005 and CVE-2025-14338, which have an effect on InputPlumber variations earlier than v0.69.0 and stem from insufficient D-Bus authorization mechanisms.
InputPlumber combines Linux enter gadgets into digital enter gadgets and runs with full root privileges, making these flaws notably harmful.
The vulnerabilities enable any consumer on the system, together with low-privilege accounts, to entry InputPlumber’s D-Bus service with out authentication.
CVE IDIssueAffected VersionsImpactCVE-2025-66005Missing authorization in D-Bus interface< v0.63.0DoS, data leak, privilege escalationCVE-2025-14338Polkit auth disabled + auth race situation< v0.69.0DoS, data leak, privilege escalation
Attackers Exploit this Entry in A number of Methods
UI Enter Injection: Malicious actors can create digital keyboard gadgets and inject keystrokes into energetic consumer periods.
This might result in arbitrary code execution within the context of the at present logged-in consumer, compromising their session and knowledge.
Denial-of-Service: The CreateCompositeDevice technique accepts file paths from shoppers, permitting attackers to set off reminiscence exhaustion by passing particular information corresponding to /dev/zero.
Data Disclosure: The identical technique can carry out file existence checks and leak delicate data from information usually inaccessible to low-privilege customers, corresponding to /root/.bash_history.
The vulnerabilities primarily have an effect on Linux gaming programs working InputPlumber, together with SteamOS. Valve has launched SteamOS 3.7.20, which incorporates the InputPlumber v0.69.0 repair.
Upstream builders have addressed most points by switching to correct Polkit authentication, enabling authorization by default, and making use of systemd hardening.
Nevertheless, some D-Bus API enhancements that use file descriptors as a substitute of pathnames stay unmerged.
SUSE researchers advise system directors to right away replace to InputPlumber v0.69.0 or later, particularly on gaming programs and SteamOS installations.
The coordinated disclosure course of between SUSE safety researchers and InputPlumber builders ensured fixes had been out there earlier than public disclosure.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
