Critical InputPlumber Flaws Allow UI Injection & DoS
Critical vulnerabilities have been identified in InputPlumber, a Linux input device utility utilized within SteamOS. These flaws present a significant risk, potentially enabling attackers to inject...
Critical vulnerabilities have been identified in InputPlumber, a Linux input device utility utilized within SteamOS. These flaws present a significant risk, potentially enabling attackers to inject malicious UI inputs or trigger denial-of-service conditions on affected systems.
The SUSE researchers tracked as CVE-2025-66005 and CVE-2025-14338, which affect InputPlumber versions before v0.69.0 and stem from inadequate D-Bus authorization mechanisms.
InputPlumber combines Linux input devices into virtual input devices and runs with full root privileges, making these flaws particularly dangerous.
The vulnerabilities allow any user on the system, including low-privilege accounts, to access InputPlumber’s D-Bus service without authentication.
| CVE ID | Issue | Affected Versions | Impact |
|---|---|---|---|
| CVE-2025-66005 | Missing authorization in D-Bus interface | < v0.63.0 | DoS, info leak, privilege escalation |
| CVE-2025-14338 | Polkit auth disabled + auth race condition | < v0.69.0 | DoS, info leak, privilege escalation |
Attackers Exploit this Access in Multiple Ways
UI Input Injection: Malicious actors can create virtual keyboard devices and inject keystrokes into active user sessions.
This could lead to arbitrary code execution in the context of the currently logged-in user, compromising their session and data.
Denial-of-Service: The CreateCompositeDevice method accepts file paths from clients, allowing attackers to trigger memory exhaustion by passing special files such as /dev/zero.
Information Disclosure: The same method can perform file existence tests and leak sensitive information from files normally inaccessible to low-privilege users, such as /root/.bash_history.
The vulnerabilities primarily affect Linux gaming systems running InputPlumber, including SteamOS. Valve has released SteamOS 3.7.20, which includes the InputPlumber v0.69.0 fix.
Upstream developers have addressed most issues by switching to proper Polkit authentication, enabling authorization by default, and applying systemd hardening.
However, some D-Bus API improvements that use file descriptors instead of pathnames remain unmerged.
SUSE researchers advise system administrators to immediately update to InputPlumber v0.69.0 or later, especially on gaming systems and SteamOS installations.
The coordinated disclosure process between SUSE security researchers and InputPlumber developers ensured fixes were available before public disclosure.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.