Security researchers at SUSE identified severe vulnerabilities in InputPlumber, a Linux utility for combining input devices into virtual input systems, affecting versions before v0.69.0.
The flaws, tracked as CVE-2025-66005 and CVE-2025-14338, stem from inadequate D-Bus authorization mechanisms and insufficient input verification, enabling arbitrary local users to inject keystrokes into active sessions and launch denial-of-service attacks.
InputPlumber operates with full root privileges on Linux gaming systems, including SteamOS, making these security gaps particularly critical.
The vulnerability disclosure process, which began in late November 2025, culminated in coordinated patches released on January 9, 2026, with Valve publishing SteamOS 3.7.20 containing the fixes.cybersecuritynews
Technical Architecture and Exposure
The InputPlumber daemon runs on the D-Bus system bus, exposing the "org.shadowblip.InputManager" interface to all system users. The service comprises approximately 50,000 lines of Rust code, with roughly 3,000 lines dedicated to the D-Bus API, providing around 90 different properties and 10 interfaces across multiple exported objects.
This complex attack surface, combined with inadequate access controls, allows unprivileged accounts—including system users like nobody—to interact with security-sensitive functionality.
Authentication and Authorization Defects
Two distinct authentication vulnerabilities plague different InputPlumber versions. In versions before v0.63.0, tracked as CVE-2025-66005, the D-Bus interfaces completely lack authentication mechanisms.
Later versions introduced Polkit authentication as a compile-time feature disabled by default, leaving systems unprotected unless explicitly enabled during compilation.
More critically, versions before v0.69.0 suffer from a race condition in the Polkit authorization implementation, designated CVE-2025-14338. The authentication logic incorrectly uses the deprecated "unix-process" Polkit subject, retrieving the caller's process ID from the D-Bus connection and passing it to the Polkit daemon.
Attackers can exploit this race condition by replacing their process ID with a privileged process identifier before the authorization daemon completes its credential validation, bypassing authentication entirely. This specific vulnerability was previously documented as CVE-2013-4288 and marked as deprecated in Polkit specifications.
Attack Vectors and Impact
The accessibility of D-Bus methods enables multiple attack chains. The CreateTargetDevice method permits any system user to instantiate virtual keyboard input devices, subsequently injecting arbitrary keystrokes into active user sessions through the SendKey interface.
Attackers can target desktop environments or login terminals, executing commands in the context of the currently logged-in user with no authentication required.
The CreateCompositeDevice method accepts file paths as parameters, exposing three distinct vulnerability classes. First, attackers can perform file existence tests on files typically inaccessible to unprivileged accounts, probing system configurations and determining target presence.
Second, specially crafted paths such as /dev/zero trigger memory exhaustion attacks, causing InputPlumber to consume system resources without bounds and denying service to legitimate users. Third, the method inadvertently leaks sensitive information from protected files, such as /root/.bash_history, through error messages that echo portions of file contents when parsing fails.
These primitives combine to enable privilege escalation scenarios where an attacker injects commands into an administrator's session, obtaining code execution with elevated privileges.
Upstream Remediation and Limitations
The InputPlumber development team addressed the reported issues through targeted commits integrated into version v0.69.0. Commit 4db3b20 corrects the Polkit authentication logic by switching from the deprecated "unix-process" subject to the secure "system bus name" approach, eliminating the race condition.
Commit f3854be enables Polkit authorization by default in the build configuration, ensuring authentication is active in standard installations. Commit 79f0745 applies systemd hardening, restricting file system access and reducing the blast radius of potential compromises.
However, SUSE researchers recommended transitioning from path-based parameters to file descriptor passing in D-Bus method signatures to eliminate entire classes of path-traversal and information-disclosure vulnerabilities.
While upstream developers created a pull request implementing this architectural improvement, it remained unmerged as of the January 2026 disclosure date. The original D-Bus API was retained for backward compatibility, leaving the underlying attack vectors intact despite the addition of Polkit protection.
Remediation Timeline and Disclosure Coordination
The vulnerability disclosure followed established coordinated practices. SUSE security personnel contacted InputPlumber developers on November 21, 2025, and submitted a detailed technical report on November 25.
Upstream developers immediately acknowledged the issues and committed to coordinated disclosure, with public discussion of fixes via GitHub pull requests commencing on December 8. Following stakeholder feedback and testing, Valve scheduled the publication of patched SteamOS images for January 9, 2026, serving as the embargo lift date for the complete technical report.
Practical Mitigation Strategies
Administrators operating InputPlumber on gaming systems or general-purpose Linux installations should prioritize upgrading to version v0.69.0 or later without delay.
The patched versions substantially reduce the attack surface through mandatory Polkit authorization, though organizations with non-standard Polkit configurations should verify that authentication rules enforce appropriate access restrictions.
Additional hardening measures include restricting D-Bus system bus access through local policy mechanisms, implementing AppArmor or SELinux profiles to confine InputPlumber's file access, and disabling the service on systems where input device virtualization is unnecessary.
Monitoring for suspicious CreateTargetDevice and CreateCompositeDevice method invocations through D-Bus audit logging provides forensic visibility into exploitation attempts.
The discovery underscores broader challenges in securing complex systems services with privileged access. The InputPlumber case demonstrates how authentication bypass vulnerabilities, particularly those involving race conditions in authorization frameworks, can completely compromise security assumptions despite multiple layers of intended protection.
Organizations relying on InputPlumber in production environments should treat this disclosure as a critical priority requiring immediate patching and security validation.
