Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/evdev.c silently ignores EACCES errors when opening /dev/input/event* nodes, causing pusb_has_virtual_input_device() to return 0 (no virtual devices found) even when every open() call failed due to insufficient permissions. The caller in src/local.c cannot distinguish a clean absence of virtual devices from a permission-denied scan, and acts on the false negative by continuing authentication without denying. This vulnerability is fixed in 0.9.1.
AnalysisAI
Authentication bypass in pam_usb prior to 0.9.1 allows a local low-privileged user to circumvent hardware token requirements by exploiting silent EACCES error suppression in the virtual input device scanner. When the PAM module's evdev.c component fails to open /dev/input/event* nodes due to permission errors, it returns a false negative indicating no virtual devices are present, and the caller in local.c proceeds with authentication as if the hardware check passed cleanly. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
pam_usb is a Linux PAM (Pluggable Authentication Modules) module developed by mcdope that enforces hardware-based two-factor authentication using removable USB media. The vulnerability resides in src/evdev.c within the pusb_has_virtual_input_device() function, which iterates over /dev/input/event* character device nodes to detect virtual input devices (a common indicator of automated or spoofed login attempts). When open() calls on these nodes return EACCES, the error is caught but no corrective action is taken - matching CWE-390 (Detection of Error Condition Without Action). The function then returns 0, semantically equivalent to 'no virtual devices found,' even though the scan was entirely incomplete. The caller in src/local.c cannot distinguish this permission-failure state from a legitimate clean scan result, and therefore continues the authentication flow rather than failing securely. Affected CPE: cpe:2.3:a:mcdope:pam_usb:*:*:*:*:*:*:*:* (all versions prior to 0.9.1).
RemediationAI
Vendor-released patch: 0.9.1. Upgrade pam_usb to version 0.9.1 or later, which resolves the silent EACCES suppression in src/evdev.c so that permission errors during /dev/input/event* scanning cause authentication to fail securely rather than proceed with a false negative. The advisory is available at https://github.com/mcdope/pam_usb/security/advisories/GHSA-pvrg-chgw-x42c. If an immediate upgrade is not possible, a compensating control is to ensure that the user or process invoking pam_usb has appropriate read permissions on /dev/input/event* nodes, so that EACCES errors cannot occur and the false-negative condition is avoided - however, this trade-off may broaden device access beyond intended scope and should be evaluated against local security policy. Alternatively, temporarily removing pam_usb from the PAM stack and substituting another second-factor mechanism eliminates the bypass risk at the cost of losing USB hardware authentication until patched.
Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti
Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet
Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32
XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr
XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer
PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate
Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US
Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c
Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local
Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w
NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo
Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32647