CVE-2022-27817

Vulnerability

SWHKD 1.1.5, a hotkey daemon for Wayland, runs with root privileges and captures keyboard events from all users on the system, not only the intended user. This is due to the daemon's design that does not isolate input per seat or user. [1][2]

Exploitation

An attacker with local access to a multi-user system can exploit this by simply having the swhkd daemon running. The daemon will intercept all keyboard input, including that of other users, without requiring any special privileges beyond being able to start the daemon (which typically requires root or setuid). [1]

Impact

The attacker can capture keystrokes of other users, leading to information disclosure (e.g., passwords, confidential data). Additionally, the legitimate user's keyboard input may be consumed by the daemon, resulting in denial of service for keyboard functionality. [1][2]

Mitigation

As of the latest release (1.2.1), CVE-2022-27817 remains unfixed because a proper solution requires a complete rewrite to handle seat isolation. The maintainer notes that for single-user (single-seat) systems, the vulnerability is not exploitable. No workaround is available; users on multi-user systems should avoid running swhkd or restrict its use to single-user environments. [4]