Recently, a vulnerability was discovered in the LightDM KDE Greeter, which is the KDE project’s implementation of the login screen based on the LightDM framework. This vulnerability, identified as CVE-2025-62876, allows for the escalation of privileges from the unprivileged lightdm user to the root user. Fortunately, this vulnerability has been addressed in lightdm-kde-greeter version 6.0.4.
The SUSE project team discovered this vulnerability while examining an application to include the lightdm-kde-greeter package in the openSUSE Tumbleweed repository. The issue lies within the DBus service, which permits users to personalize their login screen themes. This service is launched in the form of a KAuth handler with root privileges. The vulnerability stems from specific logic in the code that handles settings starting with “copy_”. When such settings are encountered, a function is triggered with root privileges to copy the specified file to the /var/lib/lightdm directory, owned by the lightdm user. This process was used to import images from a user’s directory that LightDM could not directly access due to permission restrictions.
Since the copy operation is executed with root privileges and ownership of the copied file changes afterward, malicious actors could potentially copy files into the publicly accessible /var/lib/lightdm directory, including sensitive files such as /etc/shadow. Additionally, by creating a symbolic link in the /var/lib/lightdm directory with the transferred file’s name, it becomes possible to overwrite system files.
If the Polkit settings permit execution of the LightDM theme change handler by unprivileged users, this vulnerability enables any user to elevate their privileges to root. However, Polkit typically mandates the “auth_admin_keep” right for such actions, necessitating the input of the administrator password. In this context, the attack can only be executed if access is available through the lightdm user’s privileges.
Due to the need for manipulation of the lightdm user’s rights, this vulnerability has been classified as Low Severity. It is believed that the vulnerability could be exploited