SteamOS InputPlumber D-Bus Auth Bypass and Privilege Escalation (CVE-2025-66005/14338)

CVEs: CVE-2025-66005, CVE-2025-14338 Vulnerable Component: InputPlumber, a Linux utility part of SteamOS Affected Version: 0.67.0 (and earlier) Vulnerabilities: - Lack of Authentication/Polkit Authentication Bypass: Client authentication was either missing or bypassed, allowing unprivileged users to access D-Bus methods without authentication. - D-Bus Methods Allowing Privilege Escalation: - and methods allow unauthorized access and privilege escalation. Fixes Suggested and Implemented: - Updated Polkit authentication logic using "system bus name" subject. - Enabled Polkit authorization by default in the build process. - Used file descriptors instead of path names. - Added documentation and systemd service hardening. Timeline of Disclosure and Fixes: - Initial contact with developers: November 21, 2025. - Fixes in InputPlumber version: v0.69.0. - Publication of this report: January 9, 2026. Publication Context: Some security aspects remained unaddressed at the time of the report's publication.

Goal Reached Thanks to every supporter — we hit 100%!

SteamOS InputPlumber D-Bus Auth Bypass and Privilege Escalation (CVE-2025-66005/14338)