EUVD-2026-32653CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionNVD
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce that the system-side pad (the pad file on the USB device) was also present and readable. If the user-side pad was deleted or unreadable, the function returned a failure that was treated as non-fatal in certain code paths, allowing authentication to succeed without the USB device being verified. A local user can delete their own ~/.pamusb/device.pad to remove the USB device requirement and authenticate without the physical device. This vulnerability is fixed in 0.9.0.
AnalysisAI
Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by deleting their own ~/.pamusb/device.pad file. The flawed pusb_pad_compare() check in src/pad.c only confirmed the user-side pad was readable and treated its absence as a non-fatal failure in certain code paths, so authentication succeeded without the physical USB device ever being verified. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all systems running pam_usb versions prior to 0.9.0 and document their business criticality. Within 7 days: Deploy file system monitoring for ~/.pamusb/device.pad deletion events, implement filesystem protections preventing local users from deleting authentication tokens, and establish incident response procedures. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today