Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce that the system-side pad (the pad file on the USB device) was also present and readable. If the user-side pad was deleted or unreadable, the function returned a failure that was treated as non-fatal in certain code paths, allowing authentication to succeed without the USB device being verified. A local user can delete their own ~/.pamusb/device.pad to remove the USB device requirement and authenticate without the physical device. This vulnerability is fixed in 0.9.0.
AnalysisAI
Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by deleting their own ~/.pamusb/device.pad file. The flawed pusb_pad_compare() check in src/pad.c only confirmed the user-side pad was readable and treated its absence as a non-fatal failure in certain code paths, so authentication succeeded without the physical USB device ever being verified. There is no public exploit identified at time of analysis, but the technique is trivial - a single file deletion by the account owner.
Technical ContextAI
pam_usb is a PAM (Pluggable Authentication Modules) module for Linux that turns an ordinary removable USB device into a hardware authentication factor. It works by storing a matching 'pad' on both sides: a user-side pad at ~/.pamusb/device.pad in the user's home directory and a system-side pad written to the USB device itself; successful authentication is supposed to require both to be present and to match. The CPE cpe:2.3:a:mcdope:pam_usb:*:*:*:*:*:*:*:* identifies the affected component as the mcdope-maintained pam_usb package across all versions below the fix. The root cause maps to CWE-287 (Improper Authentication): pusb_pad_compare() verified only that the user-controlled pad could be read and, when it could not, returned a result that downstream logic treated as non-fatal, so the system-side pad on the USB device was never enforced as a precondition for success.
RemediationAI
Vendor-released patch: 0.9.0 - upgrade pam_usb to 0.9.0 or later, which enforces that the system-side pad on the USB device is present and readable rather than treating a missing user-side pad as non-fatal; see https://github.com/mcdope/pam_usb/security/advisories/GHSA-vx6f-rrqr-j87c. If you cannot upgrade immediately, treat pam_usb as a non-authoritative factor: in /etc/pam.d configure the pam_usb line as 'required' (not 'sufficient') and pair it with a mandatory password/primary factor so that bypassing the USB check alone cannot grant access; the trade-off is that legitimate USB failures will then block login. As an additional compensating control, monitor for deletion or absence of ~/.pamusb/device.pad files (e.g., via auditd file watches) and alert on it, accepting that this is detective rather than preventive. Avoid relying on pam_usb as a sole or 'sufficient' authentication mechanism until patched.
Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti
Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32
XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr
XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer
PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate
Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US
Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c
Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local
Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w
NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo
Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,
Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32653