Severity by source
AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, symlink attacks on pad directory and pad files enable authentication bypass and root file corruption. This vulnerability is fixed in 0.8.7.
AnalysisAI
Symlink-based authentication bypass and file corruption in pam_usb before 0.8.7 lets a local, low-privileged user defeat USB hardware authentication and overwrite root-owned files. By planting symlinks in the pad directory or on individual pad files, an attacker abuses CWE-59 link-following during the one-time-pad rotation that pam_usb performs on login, redirecting privileged file operations. No public exploit code has been identified at time of analysis, the issue is not listed in CISA KEV, and no EPSS score is available; exploitation requires local access plus a triggering authentication event.
Technical ContextAI
pam_usb is a PAM (Pluggable Authentication Module) for Linux that turns ordinary removable media (a USB stick) into a hardware authentication factor. It works by storing a one-time 'pad' that is duplicated on both the device and the host and rotated each time authentication succeeds; the pad files live in a host-side pad directory. The root cause is CWE-59 (Improper Link Resolution Before File Access / 'Link Following'): the module accesses the pad directory and pad files without safely resolving symbolic links, so an attacker who controls those paths can make pam_usb follow a symlink to an arbitrary target. Because the unsafe operations run in the context of the authentication flow rather than the attacker's own context, the CVSS Scope is marked Changed (S:C), reflecting that a low-privileged actor can influence root-owned resources.
RemediationAI
Vendor-released patch: 0.8.7 - upgrade pam_usb to 0.8.7 or later, which is the documented fix per the GitHub advisory at https://github.com/mcdope/pam_usb/security/advisories/GHSA-fjpm-p9pj-mp34. Until the upgrade is applied, reduce exposure by tightening filesystem permissions and ownership on the pad directory and pad files so that only root (not unprivileged local users) can create or modify entries there, and place the pad directory on a path no untrusted local account can write to or create symlinks within; the trade-off is that overly restrictive permissions or relocating the pad store can break pam_usb's pad rotation and lock out legitimate authentication, so test login flows after changes. As an additional compensating control, consider temporarily disabling pam_usb in the PAM stack on multi-user hosts where untrusted local accounts exist, accepting that this removes the USB two-factor protection until patched.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32659