Ddos 
A utility designed to enhance the Linux gaming experience has been found to harbor critical security vulnerabilities that could allow local attackers to hijack sessions or crash systems. The SUSE Security Team has released a report on InputPlumber, a tool used for combining input devices in environments like SteamOS, revealing that early versions were essentially wide open to exploitation.
The vulnerabilities, tracked as CVE-2025-66005 and CVE-2025-14338, stem from a failure to properly authenticate users interacting with the tool’s D-Bus service. Because InputPlumber runs with root privileges, this oversight created a direct path for privilege escalation.
The issues were discovered during a routine package review by SUSE. InputPlumber, which is “mostly used in the context of Linux gaming and is part of SteamOS,” exposes a D-Bus system service to manage devices. However, the security team found that the doors were left unlocked.
“The first version of InputPlumber we reviewed was completely lacking client authentication, causing us to reject it,” the report states.
Even after a follow-up attempt to add Polkit authentication, the implementation remained flawed. The review found that “Polkit support was only a compile-time feature… which was disabled by default,” meaning the shipped binaries often had no protection at all. Furthermore, the implementation suffered from a race condition vulnerability (CVE-2025-14338) historically associated with the unsafe use of the “unix-process” Polkit subject.
The lack of effective authentication meant that “all InputPlumber D-Bus methods can be considered accessible by all users in the system” . This exposure allowed for dangerous attacks via the CreateTargetDevice and CreateCompositeDevice methods.
Researchers demonstrated that an attacker could create a virtual keyboard and inject key presses into another user’s session. “Any user in the system can inject input to an active desktop session or the active login terminal screen, possibly leading to arbitrary code execution in the context of the currently logged in user,” the report warns.
Additionally, the CreateCompositeDevice method could be abused to check for the existence of privileged files or leak their contents, such as root’s bash history, by parsing them as config files. “The method allows for an information leak, e.g. from /root/.bash_history,” the researchers noted, showing how error messages revealed sensitive file content.
Following a coordinated disclosure process, the upstream developers have patched the flaws. InputPlumber version v0.69.0 addresses the vulnerabilities by enabling Polkit authorization by default and switching to a secure authentication subject.
Users are advised to upgrade immediately. The report confirms that “SteamOS also published new images for version 3.7.20 containing the fixes”.
Donate