Skip to main content

pam_usb CVE-2026-47274

| EUVDEUVD-2026-32651 MEDIUM
Uncontrolled Search Path Element (CWE-427)
2026-05-27 GitHub_M
6.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
May 27, 2026 - 22:04 EUVD
Source Code Evidence Fetched
May 27, 2026 - 21:28 vuln.today
Analysis Generated
May 27, 2026 - 21:28 vuln.today
CVE Published
May 27, 2026 - 20:02 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, multiple pam_usb helper tools resolved external binaries through the PATH environment variable rather than using absolute paths. An attacker who can influence the process environment during PAM authentication or tool execution could substitute malicious binaries. The affected tools are pamusb-check (src/tmux.c), pamusb-conf (tools/pamusb-conf), and pamusb-keyring-unlock-gnome (tools/pamusb-keyring-unlock-gnome). This vulnerability is fixed in 0.9.0.

AnalysisAI

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate the process environment to substitute malicious binaries for those called by pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome, resulting in high confidentiality and integrity impact. The root cause is CWE-427 (Uncontrolled Search Path Element): all three tools resolved external binaries - including id, whoami, pidof, gnome-keyring-daemon, and pamusb-check itself - through the attacker-controllable PATH variable rather than hardcoded absolute paths. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.

Technical ContextAI

pam_usb is a Linux PAM module that implements hardware-based authentication using removable USB storage media, maintained by mcdope (CPE: cpe:2.3:a:mcdope:pam_usb:*:*:*:*:*:*:*:*). The affected tools are shell scripts and C code that invoke external utilities at runtime. CWE-427 (Uncontrolled Search Path Element) describes the root cause: when a program uses a user-supplied or environment-controlled search path to locate executables, a malicious binary placed earlier in PATH can be executed in place of the intended one. The commit diffs confirm that pamusb-keyring-unlock-gnome called binaries such as pamusb-check, id, whoami, pidof, gnome-keyring-daemon, stat, awk, sed, head, kill, and logger without absolute paths. The fix for all three affected tools hardcodes absolute paths (e.g., PAMUSB_CHECK=/usr/bin/pamusb-check, ID=/usr/bin/id, GNOME_KEYRING_DAEMON=/usr/bin/gnome-keyring-daemon) so that PATH manipulation cannot redirect binary resolution. The fix also eliminates a secondary issue in pamusb-keyring-unlock-gnome where the keyring password file could be sourced as shell code; it now reads the value via sed without executing the file.

RemediationAI

Upgrade pam_usb to version 0.9.0, which resolves the PATH hijacking across all three affected helper tools via commits 1ee8745920388df48d001a8e61ba629071557937, 52a1fd6413b7ffcc1a5b58ce432be42e7bf0dbd0, and 993e73d8bebb1d8e62677388de3402b6ec36b600 (see https://github.com/mcdope/pam_usb/security/advisories/GHSA-pp29-w28g-r9h9). If upgrading immediately is not feasible, restrict which local user accounts are permitted to invoke pam_usb helper tools by tightening PAM configuration and file permissions on the helper scripts (chmod 0755 owned by root). Additionally, enforce a controlled, read-only PATH for PAM sessions by setting PATH explicitly in the PAM configuration or in /etc/environment to a minimal set of trusted directories, reducing the attacker's ability to prepend malicious directories. Note that path-restriction workarounds do not address all exposure vectors and are not a substitute for patching. Systems where only a single trusted user runs pam_usb tools face substantially reduced risk from this vulnerability.

CVE-2026-48064 HIGH
8.1 May 27

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti

CVE-2026-47272 HIGH
7.1 May 27

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet

CVE-2026-48065 MEDIUM
6.7 May 27

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32

CVE-2026-48981 MEDIUM
6.7 Jun 18

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr

CVE-2026-47273 MEDIUM
6.5 May 27

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer

CVE-2026-48980 MEDIUM
6.3 Jun 18

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US

CVE-2026-48983 MEDIUM
5.8 Jun 18

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c

CVE-2026-48982 MEDIUM
5.8 Jun 18

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local

CVE-2026-48066 MEDIUM
5.7 May 27

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w

CVE-2026-48985 MEDIUM
5.5 Jun 18

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo

CVE-2026-48986 MEDIUM
4.7 Jun 18

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,

CVE-2026-48984 MEDIUM
4.7 Jun 18

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)

Share

CVE-2026-47274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy