Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB device serial, model, vendor) to query /etc/pamusb.conf. These identifiers were not validated for XPath metacharacters, allowing injection of arbitrary XPath predicates. This vulnerability is fixed in 0.9.0.
AnalysisAI
XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification queries against /etc/pamusb.conf, potentially bypassing USB hardware authentication entirely. PAM usernames and service names submitted through network-facing services such as SSH are passed unsanitized into XPath expressions; injecting predicates such as ' or @id='victim causes the device-presence check to evaluate as true without the USB token physically present. No public exploit identified at time of analysis, though the GitHub security advisory, fix commit, and injection test cases demonstrating the technique are publicly available.
Technical ContextAI
pam_usb (CPE: cpe:2.3:a:mcdope:pam_usb:*:*:*:*:*:*:*:*) is a Linux PAM module that queries /etc/pamusb.conf using libxml2 XPath expressions to verify that a registered USB device is present for a given user and service. Three identifier classes were interpolated directly into XPath predicates without sanitization prior to 0.9.0: the PAM username (supplied by the authenticating client or remote service), the service name (e.g., 'login', 'sudo'), and USB device-supplied fields including serial, model, and vendor strings read directly from the plugged-in device. CWE-91 (XPath Injection) is the root cause - single-quote characters and other XPath metacharacters in these identifiers allow escape from the intended query context and injection of arbitrary predicates into the XML document query. The fix in commit 721fed08 introduces the pusb_conf_xpath_id_is_safe() function, which rejects any identifier containing a single quote (0x27) or ASCII control characters (values below 0x20) before any XPath expression is constructed. Validation is applied to all three identifier classes: username, service name, and device ID.
RemediationAI
Upgrade to pam_usb 0.9.0, the vendor-released patch for this vulnerability, confirmed in the CVE description and GitHub Security Advisory GHSA-vfj3-5h5v-6g93. The fix is implemented in commit 721fed08a3596cb5b4671ad702f8fdc12dcc7420 (https://github.com/mcdope/pam_usb/commit/721fed08a3596cb5b4671ad702f8fdc12dcc7420) via pull request #311 (https://github.com/mcdope/pam_usb/pull/311). If an immediate upgrade is not feasible, remove pam_usb from the PAM configuration of all network-facing services (e.g., delete or comment out the pam_usb line in /etc/pam.d/sshd) to eliminate the network attack vector (AV:N) - this trade-off disables hardware authentication for remote logins but contains risk to local, physically-attended sessions only. Do not attempt to sanitize PAM usernames at the application or SSH layer as a substitute for patching: device-supplied identifier injection via a physically-attached USB device with crafted serial, model, or vendor fields remains unmitigated by any network-layer control.
Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti
Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet
Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32
XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr
PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate
Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US
Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c
Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local
Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w
NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo
Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,
Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)
Same weakness CWE-91 – XML Injection (aka Blind XPath Injection)
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32652