CVE-2025-14338

Published Jan 14, 2026

Last updated 2 months ago

CVSS high 8.5

Overview

Description
Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005.
Source
meissner@suse.de
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.5
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

Weaknesses

meissner@suse.de
CWE-284

Social media

Hype score
Not currently trending

  1. CVE-2025-14338 Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2… https://t.co/7fv6RLw6iI

    @CVEnew

    14 Jan 2026

    178 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 Critical InputPlumber Flaws Let Local Attackers Inject Keystrokes and Trigger DoS on SteamOS/Linux SUSE disclosed CVE-2025-66005 and CVE-2025-14338 in InputPlumber’s D-Bus/Polkit auth, allowing unprivileged local users to call sensitive methods to create virtual keyboard

    @ThreatSynop

    12 Jan 2026

    57 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. InputPlumber Linux input utility used in SteamOS hit by critical flaws CVE-2025-66005 and CVE-2025-14338, enabling UI input injection and DoS on versions prior to v0.69.0 via weak D-Bus auth. #Vulnerabilities https://t.co/o8BeeNrZs9

    @threatcluster

    12 Jan 2026

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 Critical InputPlumber CVEs Let Any Local User Inject UI Keystrokes on SteamOS/Linux — Patch v0.69.0 Now SUSE reports two InputPlumber flaws (CVE-2025-66005, CVE-2025-14338) where missing D-Bus authorization/Polkit issues in a root-privileged service enable UI input injecti

    @ThreatSynop

    12 Jan 2026

    69 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-14338 InputPlumber https://t.co/ycgCmFatQ6 Vulnerability Notification: https://t.co/xhLrNnfyrO

    @VulmonFeeds

    10 Jan 2026

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. InputPlumber: Lack of D-Bus Authorization and Input Verification allows UI Input Injection and Denial-of-Service (CVE-2025-66005, CVE-2025-14338) https://t.co/GZSEONhW24 utility for combining Linux input devices into virtual input devices. D-Bus daemon [...] to inject key presses

    @oss_security

    10 Jan 2026

    1409 Impressions

    3 Retweets

    14 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.