Skip to main content

pam_usb CVE-2026-44711

| EUVDEUVD-2026-32659 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-05-27 security-advisories@github.com
7.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.9 HIGH
AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 27, 2026 - 22:04 EUVD
Analysis Generated
May 27, 2026 - 21:31 vuln.today
CVE Published
May 27, 2026 - 21:16 nvd
HIGH 7.9

DescriptionGitHub Advisory

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, symlink attacks on pad directory and pad files enable authentication bypass and root file corruption. This vulnerability is fixed in 0.8.7.

AnalysisAI

Symlink-based authentication bypass and file corruption in pam_usb before 0.8.7 lets a local, low-privileged user defeat USB hardware authentication and overwrite root-owned files. By planting symlinks in the pad directory or on individual pad files, an attacker abuses CWE-59 link-following during the one-time-pad rotation that pam_usb performs on login, redirecting privileged file operations. No public exploit code has been identified at time of analysis, the issue is not listed in CISA KEV, and no EPSS score is available; exploitation requires local access plus a triggering authentication event.

Technical ContextAI

pam_usb is a PAM (Pluggable Authentication Module) for Linux that turns ordinary removable media (a USB stick) into a hardware authentication factor. It works by storing a one-time 'pad' that is duplicated on both the device and the host and rotated each time authentication succeeds; the pad files live in a host-side pad directory. The root cause is CWE-59 (Improper Link Resolution Before File Access / 'Link Following'): the module accesses the pad directory and pad files without safely resolving symbolic links, so an attacker who controls those paths can make pam_usb follow a symlink to an arbitrary target. Because the unsafe operations run in the context of the authentication flow rather than the attacker's own context, the CVSS Scope is marked Changed (S:C), reflecting that a low-privileged actor can influence root-owned resources.

RemediationAI

Vendor-released patch: 0.8.7 - upgrade pam_usb to 0.8.7 or later, which is the documented fix per the GitHub advisory at https://github.com/mcdope/pam_usb/security/advisories/GHSA-fjpm-p9pj-mp34. Until the upgrade is applied, reduce exposure by tightening filesystem permissions and ownership on the pad directory and pad files so that only root (not unprivileged local users) can create or modify entries there, and place the pad directory on a path no untrusted local account can write to or create symlinks within; the trade-off is that overly restrictive permissions or relocating the pad store can break pam_usb's pad rotation and lock out legitimate authentication, so test login flows after changes. As an additional compensating control, consider temporarily disabling pam_usb in the PAM stack on multi-user hosts where untrusted local accounts exist, accepting that this removes the USB two-factor protection until patched.

Share

CVE-2026-44711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy