EXECUTIVE SUMMARY:
Critical security flaws have been identified in InputPlumber, a Linux utility used to manage input devices on systems such as SteamOS, exposing affected systems to input injection, information disclosure, and denial-of-service risks. The issues stem from improper authorization controls in InputPlumber’s D-Bus interface, allowing any local user, including low-privileged accounts, to interact with a service running with full root privileges. By abusing this access, attackers can create virtual input devices to inject keystrokes into active sessions, potentially leading to code execution in the context of logged-in users. Additional abuse paths enable memory exhaustion through specially crafted file paths and leakage of sensitive system files that are normally inaccessible. These weaknesses primarily impact Linux gaming environments where InputPlumber is enabled by default, increasing the risk of local compromise and system instability until patched versions are applied.
The identified InputPlumber vulnerabilities highlight how weak authorization in privileged system services can expose Linux gaming systems to serious local attacks. Addressing these flaws reduces the risk of input manipulation, data exposure, and system disruption on affected environments.
RECOMMENDATION:
We strongly recommend you update InputPlumber to version v0.69.0 or later.
REFERENCES:
The following reports contain further technical details: