Skip to main content

pam_usb CVE-2026-47273

| EUVDEUVD-2026-32652 MEDIUM
XML Injection (aka Blind XPath Injection) (CWE-91)
2026-05-27 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
May 27, 2026 - 22:04 EUVD
Source Code Evidence Fetched
May 27, 2026 - 21:29 vuln.today
Analysis Generated
May 27, 2026 - 21:29 vuln.today
CVE Published
May 27, 2026 - 20:03 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB device serial, model, vendor) to query /etc/pamusb.conf. These identifiers were not validated for XPath metacharacters, allowing injection of arbitrary XPath predicates. This vulnerability is fixed in 0.9.0.

AnalysisAI

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification queries against /etc/pamusb.conf, potentially bypassing USB hardware authentication entirely. PAM usernames and service names submitted through network-facing services such as SSH are passed unsanitized into XPath expressions; injecting predicates such as ' or @id='victim causes the device-presence check to evaluate as true without the USB token physically present. No public exploit identified at time of analysis, though the GitHub security advisory, fix commit, and injection test cases demonstrating the technique are publicly available.

Technical ContextAI

pam_usb (CPE: cpe:2.3:a:mcdope:pam_usb:*:*:*:*:*:*:*:*) is a Linux PAM module that queries /etc/pamusb.conf using libxml2 XPath expressions to verify that a registered USB device is present for a given user and service. Three identifier classes were interpolated directly into XPath predicates without sanitization prior to 0.9.0: the PAM username (supplied by the authenticating client or remote service), the service name (e.g., 'login', 'sudo'), and USB device-supplied fields including serial, model, and vendor strings read directly from the plugged-in device. CWE-91 (XPath Injection) is the root cause - single-quote characters and other XPath metacharacters in these identifiers allow escape from the intended query context and injection of arbitrary predicates into the XML document query. The fix in commit 721fed08 introduces the pusb_conf_xpath_id_is_safe() function, which rejects any identifier containing a single quote (0x27) or ASCII control characters (values below 0x20) before any XPath expression is constructed. Validation is applied to all three identifier classes: username, service name, and device ID.

RemediationAI

Upgrade to pam_usb 0.9.0, the vendor-released patch for this vulnerability, confirmed in the CVE description and GitHub Security Advisory GHSA-vfj3-5h5v-6g93. The fix is implemented in commit 721fed08a3596cb5b4671ad702f8fdc12dcc7420 (https://github.com/mcdope/pam_usb/commit/721fed08a3596cb5b4671ad702f8fdc12dcc7420) via pull request #311 (https://github.com/mcdope/pam_usb/pull/311). If an immediate upgrade is not feasible, remove pam_usb from the PAM configuration of all network-facing services (e.g., delete or comment out the pam_usb line in /etc/pam.d/sshd) to eliminate the network attack vector (AV:N) - this trade-off disables hardware authentication for remote logins but contains risk to local, physically-attended sessions only. Do not attempt to sanitize PAM usernames at the application or SSH layer as a substitute for patching: device-supplied identifier injection via a physically-attached USB device with crafted serial, model, or vendor fields remains unmitigated by any network-layer control.

CVE-2026-48064 HIGH
8.1 May 27

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti

CVE-2026-47272 HIGH
7.1 May 27

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet

CVE-2026-48065 MEDIUM
6.7 May 27

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32

CVE-2026-48981 MEDIUM
6.7 Jun 18

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr

CVE-2026-47274 MEDIUM
6.3 May 27

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate

CVE-2026-48980 MEDIUM
6.3 Jun 18

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US

CVE-2026-48983 MEDIUM
5.8 Jun 18

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c

CVE-2026-48982 MEDIUM
5.8 Jun 18

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local

CVE-2026-48066 MEDIUM
5.7 May 27

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w

CVE-2026-48985 MEDIUM
5.5 Jun 18

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo

CVE-2026-48986 MEDIUM
4.7 Jun 18

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,

CVE-2026-48984 MEDIUM
4.7 Jun 18

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)

Share

CVE-2026-47273 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy