Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, when a PAM service is configured with deny_remote=false in pam_usb (commonly done for display managers such as gdm-password or lightdm to bypass process/TTY heuristics for local sessions), the PAM_RHOST check in pusb_do_auth() is also skipped. PAM_RHOST is set by remote daemons (sshd, XDMCP servers) to identify the remote client address. Because the check is gated inside if (opts.deny_remote), a genuine remote XDMCP connection reaches the USB device authentication step instead of being rejected. This vulnerability is fixed in 0.9.1.
AnalysisAI
Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authentication step over XDMCP when an administrator has set deny_remote=false - a common tweak for display managers like gdm-password or lightdm. Because the PAM_RHOST remote-client check is gated inside the same deny_remote conditional, disabling deny_remote inadvertently disables the safeguard that rejects remote connections, so a genuine remote XDMCP session is treated like a local one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (8.1) reflects full compromise of confidentiality, integrity, and availability if the attacker satisfies the configuration prerequisites.
Technical ContextAI
pam_usb is a Pluggable Authentication Module (PAM) for Linux that provides two-factor / hardware authentication using ordinary removable USB media as the token. The relevant logic lives in pusb_do_auth(), which is supposed to consult PAM_RHOST - a field populated by remote daemons such as sshd and XDMCP servers to record the connecting client's address - and refuse authentication when the request originates remotely. The deny_remote option exists to relax process/TTY heuristics for legitimate local display-manager sessions. The root cause maps to CWE-863 (Incorrect Authorization): the PAM_RHOST remote-source rejection is nested inside the if (opts.deny_remote) branch, so turning deny_remote off to accommodate gdm/lightdm also removes the only check that distinguishes a remote XDMCP client from a local console session, letting the remote request fall through to USB device authentication. The affected component per CPE is cpe:2.3:a:mcdope:pam_usb (the mcdope pam_usb project).
RemediationAI
Upgrade pam_usb to version 0.9.1 or later, which moves/repairs the PAM_RHOST check so it is no longer bypassed by deny_remote (Vendor-released patch: 0.9.1; see https://github.com/mcdope/pam_usb/security/advisories/GHSA-w38v-cw9r-x9p6). If you cannot upgrade immediately, revert deny_remote back to true (the default) wherever it was disabled - the trade-off is that the process/TTY heuristics it relaxes may again interfere with some local display-manager sessions, so test gdm-password/lightdm logins afterward. As an additional compensating control, disable XDMCP on the display manager (e.g. unset Enable=true in the [xdmcp] section) and block the XDMCP UDP/177 port at the host or network firewall so remote display connections cannot reach the PAM stack at all; this removes remote login capability entirely, which is acceptable for hosts that should only allow local console sessions. Review the issue at https://github.com/mcdope/pam_usb/issues/348 for context on which services set PAM_RHOST.
Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet
Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32
XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr
XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer
PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate
Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US
Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c
Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local
Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w
NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo
Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,
Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32650