AI description
CVE-2025-66005 is a vulnerability found in InputPlumber, a Linux utility designed to combine input devices into virtual ones, often utilized in Linux gaming environments like SteamOS. This flaw stems from a complete lack of authorization within the InputManager D-Bus interface in versions prior to v0.63.0. This absence of proper authorization allows any local user on the system to access privileged D-Bus methods without authentication. Such access can be exploited to perform unauthorized file existence tests, leak sensitive information from restricted files (like `/root/.bash_history`), and trigger memory exhaustion, potentially leading to denial-of-service conditions.
- Description
- Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session.
- Source
- meissner@suse.de
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 8.5
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- meissner@suse.de
- CWE-863
- Hype score
- Not currently trending
InputPlumber の脆弱性 CVE-2025-66005/14338 が FIX:UI 入力インジェクションと DoS の可能性 https://t.co/2NGX6LW2An SteamOS などのゲーム環境を支える InputPlumber
@iototsecnews
19 Jan 2026
136 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-66005 Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privil… https://t.co/kH0ZCCDwip
@CVEnew
14 Jan 2026
200 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical InputPlumber Flaws Let Local Attackers Inject Keystrokes and Trigger DoS on SteamOS/Linux SUSE disclosed CVE-2025-66005 and CVE-2025-14338 in InputPlumber’s D-Bus/Polkit auth, allowing unprivileged local users to call sensitive methods to create virtual keyboard
@ThreatSynop
12 Jan 2026
57 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
InputPlumber Linux input utility used in SteamOS hit by critical flaws CVE-2025-66005 and CVE-2025-14338, enabling UI input injection and DoS on versions prior to v0.69.0 via weak D-Bus auth. #Vulnerabilities https://t.co/o8BeeNrZs9
@threatcluster
12 Jan 2026
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical InputPlumber CVEs Let Any Local User Inject UI Keystrokes on SteamOS/Linux — Patch v0.69.0 Now SUSE reports two InputPlumber flaws (CVE-2025-66005, CVE-2025-14338) where missing D-Bus authorization/Polkit issues in a root-privileged service enable UI input injecti
@ThreatSynop
12 Jan 2026
69 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical flaws in InputPlumber (CVE-2025-66005) expose Linux gamers to session hijacking. Update to v0.69.0 or SteamOS 3.7.20 immediately to secure. #LinuxGaming #SteamOS #InputPlumber #CyberSecurity #CVE202566005 #InfoSec #OpenSource #TechNews https://t.co/JjmzoKA8tc
@the_yellow_fall
12 Jan 2026
122 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-66005 InputPlumber https://t.co/4tXXJQzfpu
@VulmonFeeds
10 Jan 2026
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
InputPlumber: Lack of D-Bus Authorization and Input Verification allows UI Input Injection and Denial-of-Service (CVE-2025-66005, CVE-2025-14338) https://t.co/GZSEONhW24 utility for combining Linux input devices into virtual input devices. D-Bus daemon [...] to inject key presses
@oss_security
10 Jan 2026
1409 Impressions
3 Retweets
14 Likes
3 Bookmarks
0 Replies
0 Quotes