{"id":9810,"date":"2026-01-12T10:03:40","date_gmt":"2026-01-12T10:03:40","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/12\/critical-inputplumber-vulnerabilities-allows-ui-input-injection-and-denial-of-service\/"},"modified":"2026-01-12T10:03:40","modified_gmt":"2026-01-12T10:03:40","slug":"critical-inputplumber-vulnerabilities-allows-ui-input-injection-and-denial-of-service","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/12\/critical-inputplumber-vulnerabilities-allows-ui-input-injection-and-denial-of-service\/","title":{"rendered":"Critical InputPlumber Vulnerabilities Allows UI Input Injection and Denial-of-Service"},"content":{"rendered":"

Critical InputPlumber Vulnerabilities Allows UI Input Injection and Denial-of-Service
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Critical vulnerabilities in InputPlumber, a Linux input device utility used in SteamOS, could allow attackers to inject UI inputs and cause denial-of-service conditions on affected systems.<\/p>\n

The SUSE researchers tracked as\u00a0CVE-2025-66005\u00a0and\u00a0CVE-2025-14338, which affect InputPlumber versions before v0.69.0 and stem from inadequate D-Bus authorization<\/a> mechanisms.<\/p>\n

InputPlumber combines Linux input devices into virtual input devices and runs with full root privileges, making these flaws particularly dangerous.<\/p>\n

The vulnerabilities allow any user on the system, including low-privilege accounts, to access InputPlumber\u2019s D-Bus service without authentication.<\/p>\n

\n\n\n\n\n\n\n
CVE ID<\/th>\nIssue<\/th>\nAffected Versions<\/th>\nImpact<\/th>\n<\/tr>\n<\/thead>\n
CVE-2025-66005<\/td>\nMissing authorization in D-Bus interface<\/td>\n< v0.63.0<\/td>\nDoS, info leak, privilege escalation<\/td>\n<\/tr>\n
CVE-2025-14338<\/td>\nPolkit auth disabled + auth race condition<\/td>\n< v0.69.0<\/td>\nDoS, info leak, privilege escalation<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Attackers Exploit this Access in Multiple Ways<\/strong><\/h2>\n

UI Input Injection:<\/strong> Malicious actors can create virtual keyboard devices and inject keystrokes<\/a> into active user sessions.<\/p>\n

This could lead to arbitrary code execution in the context of the currently logged-in user, compromising their session and data.<\/p>\n

Denial-of-Service: The\u00a0CreateCompositeDevice\u00a0method accepts file paths from clients, allowing attackers to trigger memory exhaustion by passing special files such as\u00a0\/dev\/zero.<\/p>\n

Information Disclosure: The same method can perform file existence tests and leak sensitive information from files normally inaccessible to low-privilege users, such as\u00a0\/root\/.bash_history.<\/p>\n

The vulnerabilities primarily affect Linux gaming systems running InputPlumber, including SteamOS. Valve has released SteamOS 3.7.20, which includes the InputPlumber v0.69.0 fix.<\/p>\n

Upstream developers have addressed most issues by switching to proper Polkit authentication<\/a>, enabling authorization by default, and applying systemd hardening.<\/p>\n

However, some D-Bus API improvements that use file descriptors instead of pathnames remain unmerged.<\/p>\n

SUSE researchers advise<\/a> system administrators to immediately update to InputPlumber v0.69.0 or later, especially on gaming systems and SteamOS installations.<\/p>\n

The coordinated disclosure process between SUSE security researchers and InputPlumber developers ensured fixes were available before public disclosure.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Critical InputPlumber Vulnerabilities Allows UI Input Injection and Denial-of-Service<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Critical InputPlumber Vulnerabilities Allows UI Input Injection and Denial-of-Service Critical vulnerabilities in InputPlumber, a Linux input device utility used in SteamOS, could allow attackers to inject UI inputs and cause denial-of-service conditions on affected systems. The SUSE researchers tracked as\u00a0CVE-2025-66005\u00a0and\u00a0CVE-2025-14338, which affect InputPlumber versions before v0.69.0 and stem from inadequate D-Bus authorization mechanisms. InputPlumber combines […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2015,129,63,648],"tags":[130],"class_list":["post-9810","post","type-post","status-publish","format-standard","hentry","category-cve-vulnerabilities","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9810"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9810"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9810\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}