Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Local-only TOCTOU race (AV:L, AC:H); low-privilege account sufficient (PR:L); OTP pad exposure yields high confidentiality impact with limited integrity and availability disruption.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, a symlink race condition exists in per-device and per-user pad directory creation. pam_usb uses a check-then-act pattern: it calls lstat() to test for existence and then calls mkdir() separately to create the directory. A local attacker can win the race between these calls by replacing the target path with a symlink to a directory they control. If successful, one-time pad files may be written to an attacker-controlled location, potentially exposing future pad values before use or disrupting authentication. This issue has been fixed in version 0.9.2.
AnalysisAI
Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-controlled directory, potentially exposing future OTP values before use and undermining hardware-based PAM authentication on Linux. The flaw is a classic TOCTOU pattern in per-device and per-user pad directory creation, fixed as part of a 12-issue security hardening release (0.9.2) triggered by an ongoing audit. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local account with code execution capability on a Linux system running pam_usb prior to 0.9.2 with one-time pad (OTP) authentication actively configured and in use - systems that deploy pam_usb without OTP pads are not affected via this path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.8 (Medium) with vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L is well-calibrated to the real-world threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with a low-privilege shell identifies the expected filesystem path for a per-device or per-user OTP pad directory and places a symlink at that path pointing to a directory they own, before or during a pam_usb authentication event. If the symlink is in place when pam_usb calls lstat() (seeing the path as existing) and then calls mkdir() (which follows the symlink rather than creating a real directory), subsequent OTP pad files are written into the attacker's directory. … |
| Remediation | Upgrade pam_usb to version 0.9.2, confirmed available at https://github.com/mcdope/pam_usb/releases/tag/0.9.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti
Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet
Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32
XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr
XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer
PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate
Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US
Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local
Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w
NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo
Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,
Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37936