Security researchers have discovered critical vulnerabilities in InputPlumber, a Linux input device utility used in SteamOS, that could allow attackers to inject keystrokes, leak sensitive information, and cause denial-of-service conditions.
The flaws, tracked as CVE-2025-66005 and CVE-2025-14338, affect InputPlumber versions before v0.69.0 and stem from inadequate D-Bus authorization checks.
| CVE ID | Description | Affected Versions | Impact |
|---|---|---|---|
| CVE-2025-66005 | Lack of authorization on InputManager D-Bus interface | Before v0.63.0 | Local DoS, information leak, privilege escalation |
| CVE-2025-14338 | Polkit authentication disabled by default and race condition | Before v0.69.0 | Authentication bypass, same impacts as CVE-2025-66005 |
InputPlumber combines Linux input devices into virtual controllers and runs with full root privileges, making these vulnerabilities particularly severe.
The vulnerabilities allow unprivileged users to exploit two dangerous D-Bus methods.
The CreateCompositeDevice method accepts file paths without proper validation, enabling attackers to test for the existence of restricted files, exhaust memory by reading from /dev/zero, or leak sensitive data from files like /root/.bash_history.
More critically, the CreateTargetDevice method allows the creation of virtual keyboard devices.
Attackers can inject arbitrary keystrokes into active user sessions, potentially executing commands as the logged-in user.
This could lead to the complete compromise of user accounts and the theft of data.
The vulnerabilities affect any Linux distribution running vulnerable versions of InputPlumber, including SteamOS.
The service runs with root privileges and exposes approximately 90 D-Bus properties across 10 interfaces, amplifying the attack surface.
InputPlumber version v0.69.0 addresses most issues by:
- Switching to secure “system bus name” Polkit subject
- Enabling Polkit authorization by default
- Applying systemd hardening parameters
SteamOS has released version 3.7.20, which includes these fixes. Users should update immediately.
System administrators should verify that InputPlumber is updated to v0.69.0 or later and review Polkit policies to ensure proper authentication requirements remain in place.
The vulnerabilities were discovered during a SUSE security review and disclosed through coordinated disclosure with upstream developers.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.