Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked can point PINENTRY_FALLBACK_APP at an arbitrary binary or script and have it executed with the privileges of the pam_usb tool chain. This vulnerability is fixed in 0.8.7.
AnalysisAI
Local privilege escalation in pam_usb prior to 0.8.7 lets a low-privileged user gain the elevated privileges of the pam_usb tool chain by abusing the pamusb-pinentry helper. The helper trusts the PINENTRY_FALLBACK_APP environment variable and executes its value directly, so any process able to set that variable before pamusb-pinentry runs can have an arbitrary binary executed. There is no public exploit identified at time of analysis, and the issue is fixed in version 0.8.7; the GitHub Security Advisory (GHSA-jxrj-q67x-wr4c) is the sole reference.
Technical ContextAI
pam_usb is a PAM authentication module that turns ordinary removable media (USB drives) into a hardware authentication factor for Linux logins, sudo, and similar PAM-gated actions. As part of its PIN-entry workflow it ships pamusb-pinentry, a helper that bridges to a pinentry program for collecting secrets. The flaw is a classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command / command injection) issue: pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and passes it straight to execution with no allow-list, path validation, or sanitization. Because environment variables are inherited from the invoking process and pam_usb runs inside privileged authentication flows, an attacker-controlled value is executed in that privileged context. No CPE strings were provided in the source data, so exact affected platform/package identifiers were not enumerated by NVD here.
RemediationAI
Apply the vendor-released patch: upgrade pam_usb to version 0.8.7 or later, which removes the unvalidated execution of PINENTRY_FALLBACK_APP; see the advisory at https://github.com/mcdope/pam_usb/security/advisories/GHSA-jxrj-q67x-wr4c for details. If immediate upgrade is not possible, the most direct compensating control is to prevent the dangerous variable from reaching the helper - sanitize the PAM/login environment so PINENTRY_FALLBACK_APP cannot be inherited into privileged authentication flows (for example via pam_env configuration or by clearing the variable in the relevant service context), accepting that this may break any legitimate custom pinentry fallback behavior. Additionally, restrict local access to trusted users and audit who can invoke or influence the pam_usb tool chain, since the vulnerability fundamentally requires a local foothold; these controls reduce exposure but do not eliminate the flaw, so patching to 0.8.7 remains the only complete remediation.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32661