KDE Plasma Affected By Arbitrary Code Execution To Break Sandboxes With "Open New Window"
([KDE] 4 Hours Ago
KDE Plasma)
- Reference: 0001644232
- News link: https://www.phoronix.com/news/KDE-Plasma-ACE-New-Window
- Source link:
A security disclosure has been made public today for a yet-to-be-patched arbitrary code execution vulnerability with the KDE Plasma desktop.
Open-source developer Kimiblock discovered an arbitrary code execution exploit for Plasma that can break sandboxes. The issue was reported to upstream KDE developers via their security email address and reportedly ignored and unpatched in the latest Plasma 6.7 desktop. Following the typical 90 day embargo, the exploit including proof-of-concept code has been published.
[1]This web page outlines the arbitrary code execution and the possibility of malicious sandboxed apps such as via Flatpak could spawn arbitrary binaries on the host via Plasma's "Open New Window" action.
"While accidently middle clicking on the task bar (it would invoke “Open New Window” by default for a specific app), the app launched a new window as expected, yet it did not seem to remember my saved login credentials, nor did it use any of modified settings. Upon closer inspection, combining the PID obtained from KWin Debug Console and control groups + rootfs info from procfs, a complete sandbox escape has surfaced.
...
So it was clear, there is a complete sandbox escape when I accidently triggered a middle-click inside the virtual machine."
The issue is yet to be patched and with no follow-ups from the KDE security team, the proof of concept code and details were made public today following the 90 day window. All the details for those interested via [2]the disclosure page .
[1] https://blog.kimiblock.top/2026/07/01/arbitrary-code-execution-in-kde-plasma/
[2] https://blog.kimiblock.top/2026/07/01/arbitrary-code-execution-in-kde-plasma/
Open-source developer Kimiblock discovered an arbitrary code execution exploit for Plasma that can break sandboxes. The issue was reported to upstream KDE developers via their security email address and reportedly ignored and unpatched in the latest Plasma 6.7 desktop. Following the typical 90 day embargo, the exploit including proof-of-concept code has been published.
[1]This web page outlines the arbitrary code execution and the possibility of malicious sandboxed apps such as via Flatpak could spawn arbitrary binaries on the host via Plasma's "Open New Window" action.
"While accidently middle clicking on the task bar (it would invoke “Open New Window” by default for a specific app), the app launched a new window as expected, yet it did not seem to remember my saved login credentials, nor did it use any of modified settings. Upon closer inspection, combining the PID obtained from KWin Debug Console and control groups + rootfs info from procfs, a complete sandbox escape has surfaced.
...
So it was clear, there is a complete sandbox escape when I accidently triggered a middle-click inside the virtual machine."
The issue is yet to be patched and with no follow-ups from the KDE security team, the proof of concept code and details were made public today following the 90 day window. All the details for those interested via [2]the disclosure page .
[1] https://blog.kimiblock.top/2026/07/01/arbitrary-code-execution-in-kde-plasma/
[2] https://blog.kimiblock.top/2026/07/01/arbitrary-code-execution-in-kde-plasma/