Local Denial-of-Service and Privilege Escalation in InputPlumber by SUSE
CVE-2025-66005

8.5HIGH

Key Information:

Vendor

Https://github.com/shadowblip

Status
Inputplumber
Vendor
CVE Published:
14 January 2026

Badges

πŸ“ˆ Score: 122πŸ“° News Worthy

What is CVE-2025-66005?

CVE-2025-66005 is a security vulnerability identified in InputPlumber, an application developed by SUSE that facilitates interaction with input devices and their configuration management. This vulnerability arises from inadequate authorization controls within the InputManager D-Bus interface in versions prior to v0.63.0. Consequently, local attackers could leverage this weakness to execute Denial-of-Service (DoS) attacks, potentially causing the input management functionalities to halt. Furthermore, it can lead to privilege escalation, allowing an attacker to gain unauthorized access to higher-level functionalities and sensitive information within the user session. The presence of this vulnerability poses a significant threat to organizations relying on InputPlumber for input device management and configuration.

Potential impact of CVE-2025-66005

  1. Local Denial-of-Service: Attackers can exploit this vulnerability to disrupt the functionality of input management services, leading to system downtime and hindering productivity.

  2. Privilege Escalation: The vulnerability can allow attackers to elevate their privileges within the system, enabling them to access sensitive data or execute commands with elevated permissions.

  3. Information Leakage: The improper authorization could result in unauthorized information disclosure, potentially exposing critical user data and system configurations to malicious actors.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

inputplumber ? < 0.63.0

News Articles

favicon imageCyber Press

Critical InputPlumber Vulnerability Enables UI Input Injection and Denial-of-Service

InputPlumber is primarily utilized in Linux gaming environments and is integrated into Valve's SteamOS platform.

4 weeks ago

favicon imagegbhackers.com

Critical InputPlumber Flaw Enables UI Input Injection and Denial-of-Service

A critical vulnerabilities in InputPlumber that could allow attackers to inject keystrokes, leak sensitive information, and cause denial-of-service conditions.

4 weeks ago

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66005
https://security.opensuse.org/2026/01/09/inputplumber-lac...

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • πŸ“°

    First article discovered by gbhackers.com

  • Vulnerability Reserved

Credit

Matthias Gerstner of SUSE
JSON
.