Skip to main content

pam_usb CVE-2026-44712

| EUVDEUVD-2026-32662 HIGH
OS Command Injection (CWE-78)
2026-05-27 security-advisories@github.com
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 27, 2026 - 22:04 EUVD
Analysis Generated
May 27, 2026 - 21:32 vuln.today
CVE Published
May 27, 2026 - 21:16 nvd
HIGH 8.2

DescriptionGitHub Advisory

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID (some controllers allow this) can inject the payload at --add-device time. Also, userName from the XML config is passed to os.system() in pamusb-agent, which invokes a shell. This vulnerability is fixed in 0.8.7.

AnalysisAI

Root command injection in pam_usb prior to 0.8.7 lets a local high-privileged user - or an attacker who can present a removable device with an attacker-chosen filesystem UUID - embed shell metacharacters (e.g. $(id>/tmp/rce)) that execute as root when an administrator runs pamusb-conf --reset-pads. A second injection path passes the userName value from the XML configuration directly to os.system() in pamusb-agent. No public exploit identified at time of analysis; the issue is fixed in 0.8.7.

Technical ContextAI

pam_usb is a PAM (Pluggable Authentication Module) for Linux that turns an ordinary USB removable drive into a hardware authentication token, identifying devices by their filesystem UUID and storing pairing/pad state in an XML configuration file (typically /etc/pamusb.conf). The vulnerability is a classic CWE-78 OS Command Injection: untrusted values - the device filesystem UUID captured at --add-device time and the userName element read back from the XML config - are concatenated into shell command lines that are executed via a shell (os.system() in pamusb-agent, and the command path triggered by pamusb-conf --reset-pads). Because some USB mass-storage controllers permit setting an arbitrary filesystem UUID, the UUID is effectively attacker-controlled input that flows unsanitized into a privileged shell invocation, allowing metacharacters like $(...), backticks, or ; to break out into arbitrary commands.

RemediationAI

Vendor-released patch: 0.8.7 - upgrade pam_usb to 0.8.7 or later, which fixes both injection paths (the crafted-UUID path in pamusb-conf and the userName-to-os.system() path in pamusb-agent), per GitHub Security Advisory GHSA-jgv5-w6rm-7wxg (https://github.com/mcdope/pam_usb/security/advisories/GHSA-jgv5-w6rm-7wxg). Until you can upgrade, treat /etc/pamusb.conf as security-sensitive: restrict write access to it so userName and device entries cannot be tampered with, and audit existing entries for shell metacharacters (e.g. $(), backticks, ;, |) before running pamusb-conf --reset-pads or --add-device - manually inspecting the UUID/userName values is the most direct compensating control. Avoid running pamusb-conf --add-device against USB devices of unknown provenance, since the device's filesystem UUID is the injection source; physically controlling which removable devices are enrolled limits the attack. As a stronger but disruptive interim measure, you can disable pam_usb in the PAM stack (removing the pam_usb lines from the relevant /etc/pam.d files), which eliminates the exposure at the cost of losing USB-token authentication and requiring fallback to password authentication.

Share

CVE-2026-44712 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy