Critical vulnerabilities in InputPlumber, a Linux input device utility used in SteamOS, could allow attackers to inject UI inputs and cause denial-of-service conditions on affected systems.
The SUSE researchers tracked as CVE-2025-66005 and CVE-2025-14338, which affect InputPlumber versions before v0.69.0 and stem from inadequate D-Bus authorization mechanisms.
InputPlumber combines Linux input devices into virtual input devices and runs with full root privileges, making these flaws particularly dangerous.
The vulnerabilities allow any user on the system, including low-privilege accounts, to access InputPlumber’s D-Bus service without authentication.
| CVE ID | Issue | Affected Versions | Impact |
|---|---|---|---|
| CVE-2025-66005 | Missing authorization in D-Bus interface | < v0.63.0 | DoS, info leak, privilege escalation |
| CVE-2025-14338 | Polkit auth disabled + auth race condition | < v0.69.0 | DoS, info leak, privilege escalation |
Attackers Exploit this Access in Multiple Ways
UI Input Injection: Malicious actors can create virtual keyboard devices and inject keystrokes into active user sessions.
This could lead to arbitrary code execution in the context of the currently logged-in user, compromising their session and data.
Denial-of-Service: The CreateCompositeDevice method accepts file paths from clients, allowing attackers to trigger memory exhaustion by passing special files such as /dev/zero.
Information Disclosure: The same method can perform file existence tests and leak sensitive information from files normally inaccessible to low-privilege users, such as /root/.bash_history.
The vulnerabilities primarily affect Linux gaming systems running InputPlumber, including SteamOS. Valve has released SteamOS 3.7.20, which includes the InputPlumber v0.69.0 fix.
Upstream developers have addressed most issues by switching to proper Polkit authentication, enabling authorization by default, and applying systemd hardening.
However, some D-Bus API improvements that use file descriptors instead of pathnames remain unmerged.
SUSE researchers advise system administrators to immediately update to InputPlumber v0.69.0 or later, especially on gaming systems and SteamOS installations.
The coordinated disclosure process between SUSE security researchers and InputPlumber developers ensured fixes were available before public disclosure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
