Skip to main content

pam_usb EUVDEUVD-2026-32653

| CVE-2026-47272 HIGH
Improper Authentication (CWE-287)
2026-05-27 GitHub_M
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
May 27, 2026 - 22:04 EUVD
Analysis Generated
May 27, 2026 - 21:02 vuln.today
CVE Published
May 27, 2026 - 20:06 nvd
HIGH 7.1

DescriptionGitHub Advisory

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce that the system-side pad (the pad file on the USB device) was also present and readable. If the user-side pad was deleted or unreadable, the function returned a failure that was treated as non-fatal in certain code paths, allowing authentication to succeed without the USB device being verified. A local user can delete their own ~/.pamusb/device.pad to remove the USB device requirement and authenticate without the physical device. This vulnerability is fixed in 0.9.0.

AnalysisAI

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by deleting their own ~/.pamusb/device.pad file. The flawed pusb_pad_compare() check in src/pad.c only confirmed the user-side pad was readable and treated its absence as a non-fatal failure in certain code paths, so authentication succeeded without the physical USB device ever being verified. There is no public exploit identified at time of analysis, but the technique is trivial - a single file deletion by the account owner.

Technical ContextAI

pam_usb is a PAM (Pluggable Authentication Modules) module for Linux that turns an ordinary removable USB device into a hardware authentication factor. It works by storing a matching 'pad' on both sides: a user-side pad at ~/.pamusb/device.pad in the user's home directory and a system-side pad written to the USB device itself; successful authentication is supposed to require both to be present and to match. The CPE cpe:2.3:a:mcdope:pam_usb:*:*:*:*:*:*:*:* identifies the affected component as the mcdope-maintained pam_usb package across all versions below the fix. The root cause maps to CWE-287 (Improper Authentication): pusb_pad_compare() verified only that the user-controlled pad could be read and, when it could not, returned a result that downstream logic treated as non-fatal, so the system-side pad on the USB device was never enforced as a precondition for success.

RemediationAI

Vendor-released patch: 0.9.0 - upgrade pam_usb to 0.9.0 or later, which enforces that the system-side pad on the USB device is present and readable rather than treating a missing user-side pad as non-fatal; see https://github.com/mcdope/pam_usb/security/advisories/GHSA-vx6f-rrqr-j87c. If you cannot upgrade immediately, treat pam_usb as a non-authoritative factor: in /etc/pam.d configure the pam_usb line as 'required' (not 'sufficient') and pair it with a mandatory password/primary factor so that bypassing the USB check alone cannot grant access; the trade-off is that legitimate USB failures will then block login. As an additional compensating control, monitor for deletion or absence of ~/.pamusb/device.pad files (e.g., via auditd file watches) and alert on it, accepting that this is detective rather than preventive. Avoid relying on pam_usb as a sole or 'sufficient' authentication mechanism until patched.

CVE-2026-48064 HIGH
8.1 May 27

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti

CVE-2026-48065 MEDIUM
6.7 May 27

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32

CVE-2026-48981 MEDIUM
6.7 Jun 18

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr

CVE-2026-47273 MEDIUM
6.5 May 27

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer

CVE-2026-47274 MEDIUM
6.3 May 27

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate

CVE-2026-48980 MEDIUM
6.3 Jun 18

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US

CVE-2026-48983 MEDIUM
5.8 Jun 18

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c

CVE-2026-48982 MEDIUM
5.8 Jun 18

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local

CVE-2026-48066 MEDIUM
5.7 May 27

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w

CVE-2026-48985 MEDIUM
5.5 Jun 18

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo

CVE-2026-48986 MEDIUM
4.7 Jun 18

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,

CVE-2026-48984 MEDIUM
4.7 Jun 18

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)

Share

EUVD-2026-32653 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy