Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Local vector and low-privilege requirement reflect mandatory local account and environment manipulation before setuid execution; C:H/I:H capture full auth bypass enabling root access via sudo.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
pam_usb provides hardware authentication for Linux using removable media. In versions prior to 0.9.2, getenv() environment variables XRDP_SESSION, DISPLAY and TMUX allow environment variable injection into local-check logic. These environment variables influence whether a current session is local or remote, and a PAM module that runs in the context of setuid binaries (sudo, su), getenv() returns attacker-controlled values whenever the process environment has been manipulated by a local user. This issue has been fixed in version 0.9.2.
AnalysisAI
Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware USB token authentication by manipulating the XRDP_SESSION, DISPLAY, or TMUX environment variables before invoking setuid binaries such as sudo or su. Because the PAM module calls standard getenv() - which does not sanitize values in privileged contexts - attacker-controlled environment data is used to determine whether the current session is local or remote, potentially defeating the core purpose of hardware-enforced authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three specific conditions: (1) pam_usb must be installed and configured in the PAM stack for a setuid binary - specifically sudo or su - on a Linux system; (2) the attacker must hold a local user account with permission to invoke that setuid binary (PR:L); and (3) the attacker must manipulate the process environment to set one or more of XRDP_SESSION, DISPLAY, or TMUX to values that cause pam_usb's session-type check to return an unexpected classification before the setuid binary executes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.3 Medium (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) accurately captures the local-only attack surface and elevated attack complexity, but the High confidentiality and integrity sub-scores reflect that a successful exploitation achieves a complete authentication bypass - potentially granting root via sudo without a hardware token. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with a standard account sets XRDP_SESSION=1 (or manipulates DISPLAY or TMUX) in their shell environment, then invokes sudo to execute a privileged command. When pam_usb runs inside the sudo setuid process, getenv() returns the attacker-controlled value, causing the module to classify the session as a remote desktop or non-local session and alter its hardware token enforcement logic, allowing the command to proceed without presenting the required USB device. … |
| Remediation | Upgrade pam_usb to version 0.9.2 immediately; this release replaces getenv() with secure_getenv() in the PAM context (commit #384, issue #368), which is the direct fix for this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti
Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet
Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32
XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr
XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer
PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate
Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c
Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local
Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w
NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo
Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,
Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37937