AI description
CVE-2025-14338 is a vulnerability identified in InputPlumber, a Linux utility designed to combine input devices into virtual ones, commonly used in Linux gaming environments like SteamOS. This flaw primarily stems from inadequate D-Bus authorization mechanisms in InputPlumber versions prior to v0.69.0. Specifically, Polkit authentication was often disabled by default, and even when available as a compile-time option, it was not straightforward to enable. The vulnerability is further compounded by a race condition and the use of the deprecated "unix-process" Polkit subject, which is susceptible to PID replacement attacks. These issues allow local, unprivileged users to bypass authentication and access privileged D-Bus methods. This unauthorized access can be exploited through methods like `CreateCompositeDevice` to perform unauthorized file existence tests, leak sensitive information, or trigger memory exhaustion, and through `CreateTargetDevice` to create virtual keyboard devices and inject arbitrary keystrokes into active user sessions.
- Description
- Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005.
- Source
- meissner@suse.de
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 8.5
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- meissner@suse.de
- CWE-284
- Hype score
- Not currently trending
CVE-2025-14338 Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2… https://t.co/7fv6RLw6iI
@CVEnew
14 Jan 2026
178 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical InputPlumber Flaws Let Local Attackers Inject Keystrokes and Trigger DoS on SteamOS/Linux SUSE disclosed CVE-2025-66005 and CVE-2025-14338 in InputPlumber’s D-Bus/Polkit auth, allowing unprivileged local users to call sensitive methods to create virtual keyboard
@ThreatSynop
12 Jan 2026
57 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
InputPlumber Linux input utility used in SteamOS hit by critical flaws CVE-2025-66005 and CVE-2025-14338, enabling UI input injection and DoS on versions prior to v0.69.0 via weak D-Bus auth. #Vulnerabilities https://t.co/o8BeeNrZs9
@threatcluster
12 Jan 2026
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical InputPlumber CVEs Let Any Local User Inject UI Keystrokes on SteamOS/Linux — Patch v0.69.0 Now SUSE reports two InputPlumber flaws (CVE-2025-66005, CVE-2025-14338) where missing D-Bus authorization/Polkit issues in a root-privileged service enable UI input injecti
@ThreatSynop
12 Jan 2026
69 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-14338 InputPlumber https://t.co/ycgCmFatQ6 Vulnerability Notification: https://t.co/xhLrNnfyrO
@VulmonFeeds
10 Jan 2026
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
InputPlumber: Lack of D-Bus Authorization and Input Verification allows UI Input Injection and Denial-of-Service (CVE-2025-66005, CVE-2025-14338) https://t.co/GZSEONhW24 utility for combining Linux input devices into virtual input devices. D-Bus daemon [...] to inject key presses
@oss_security
10 Jan 2026
1409 Impressions
3 Retweets
14 Likes
3 Bookmarks
0 Replies
0 Quotes