openSUSE inputplumber D-Bus Unauthorized Access & Race Condition (CVE-2025-14338, CVE-2025-66005)

Bug ID: 1249149 Summary: AUDIT-TRACKER: CVE-2025-14338, CVE-2025-66005: inputplumber: dbus-file-unauthorized Status: IN_PROGRESS Product: openSUSE Tumbleweed Component: Security Version: Current Severity: Normal Classification: openSUSE Alias: CVE-2025-14338, CVE-2025-66005 Reported: 2025-09-05 00:09 UTC by Tobias Görgens Modified: 2026-01-19 22:16 UTC Assignee: Matthias Gerstner Key Points: The vulnerability relates to the InputPlumber package's D-Bus interface being unauthorized. It involves lack of default-enabled Polkit authentication and a race condition in Polkit authorization. Fixes are being coordinated upstream with Pull Requests to address various aspects of the report. CVSS scores indicate a high severity due to the potential for arbitrary code execution or a local root exploit. The embargo period has been lifted, and release of a new version is pending final testing and review.

Goal Reached Thanks to every supporter — we hit 100%!

openSUSE inputplumber D-Bus Unauthorized Access & Race Condition (CVE-2025-14338, CVE-2025-66005)