A publicly disclosed vulnerability in KDE Plasma allows a sandboxed application to trigger arbitrary code execution on the host through the "Open New Window" action. Researcher Kimiblock said Plasma determines what to launch by inspecting /proc/PID/cmdline and argv[0], which can be spoofed so the desktop starts the wrong program. The issue is particularly serious for sandboxed apps such as those distributed via Flatpak, because a malicious app can manipulate launch metadata and cause Plasma to spawn host binaries outside the sandbox boundary.
The disclosure says the bug remained unpatched in Plasma 6.7 after a 90-day embargo expired, prompting publication of proof-of-concept details. Separate reporting on KDE's ongoing Plasma 6.8 development and 6.7.2/6.7.3 maintenance updates noted the same launcher weakness alongside unrelated fixes for Chromium-based application crashes, VRR and RDP/session issues, systemd integration, and a KWin CPU usage bug on Intel systems, but did not indicate that the sandbox-escape flaw had been fully resolved.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
A later report described the security-relevant "Open New Window" behavior as relying on /proc/PID/cmdline and argv[0], which could let applications spoof launch targets and cause the wrong program to start. The report highlighted Flatpak relevance in one version of the article, while another said Flatpak applications were unaffected.
After the 90-day embargo elapsed, Kimiblock publicly disclosed proof-of-concept details for an unpatched KDE Plasma vulnerability that could let a malicious sandboxed app spawn arbitrary host binaries via "Open New Window." The disclosure states the issue remained unpatched in Plasma 6.7 and that there had been no follow-up responses from KDE's security team before publication.
Developer Kimiblock discovered an arbitrary code execution issue in KDE Plasma's "Open New Window" action and reported it to KDE through the project's security contact. The disclosure says a 90-day embargo followed the report.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
opennet.me
Open sourceopennet.ru
Open sourcephoronix.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.