Skip to main content

pam_usb CVE-2026-44709

| EUVDEUVD-2026-32661 HIGH
OS Command Injection (CWE-78)
2026-05-27 security-advisories@github.com
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 27, 2026 - 22:04 EUVD
Analysis Generated
May 27, 2026 - 21:31 vuln.today
CVE Published
May 27, 2026 - 21:16 nvd
HIGH 7.8

DescriptionGitHub Advisory

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked can point PINENTRY_FALLBACK_APP at an arbitrary binary or script and have it executed with the privileges of the pam_usb tool chain. This vulnerability is fixed in 0.8.7.

AnalysisAI

Local privilege escalation in pam_usb prior to 0.8.7 lets a low-privileged user gain the elevated privileges of the pam_usb tool chain by abusing the pamusb-pinentry helper. The helper trusts the PINENTRY_FALLBACK_APP environment variable and executes its value directly, so any process able to set that variable before pamusb-pinentry runs can have an arbitrary binary executed. There is no public exploit identified at time of analysis, and the issue is fixed in version 0.8.7; the GitHub Security Advisory (GHSA-jxrj-q67x-wr4c) is the sole reference.

Technical ContextAI

pam_usb is a PAM authentication module that turns ordinary removable media (USB drives) into a hardware authentication factor for Linux logins, sudo, and similar PAM-gated actions. As part of its PIN-entry workflow it ships pamusb-pinentry, a helper that bridges to a pinentry program for collecting secrets. The flaw is a classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command / command injection) issue: pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and passes it straight to execution with no allow-list, path validation, or sanitization. Because environment variables are inherited from the invoking process and pam_usb runs inside privileged authentication flows, an attacker-controlled value is executed in that privileged context. No CPE strings were provided in the source data, so exact affected platform/package identifiers were not enumerated by NVD here.

RemediationAI

Apply the vendor-released patch: upgrade pam_usb to version 0.8.7 or later, which removes the unvalidated execution of PINENTRY_FALLBACK_APP; see the advisory at https://github.com/mcdope/pam_usb/security/advisories/GHSA-jxrj-q67x-wr4c for details. If immediate upgrade is not possible, the most direct compensating control is to prevent the dangerous variable from reaching the helper - sanitize the PAM/login environment so PINENTRY_FALLBACK_APP cannot be inherited into privileged authentication flows (for example via pam_env configuration or by clearing the variable in the relevant service context), accepting that this may break any legitimate custom pinentry fallback behavior. Additionally, restrict local access to trusted users and audit who can invoke or influence the pam_usb tool chain, since the vulnerability fundamentally requires a local foothold; these controls reduce exposure but do not eliminate the flaw, so patching to 0.8.7 remains the only complete remediation.

Share

CVE-2026-44709 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy