Skip to main content

pam_usb EUVDEUVD-2026-32657

| CVE-2026-44713 HIGH
OS Command Injection (CWE-78)
2026-05-27 security-advisories@github.com
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 27, 2026 - 22:04 EUVD
Analysis Generated
May 27, 2026 - 21:32 vuln.today
CVE Published
May 27, 2026 - 21:16 nvd
HIGH 8.8

DescriptionGitHub Advisory

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen(). Because the value is placed inside double-quotes without sanitisation, any value containing " terminates the quoted string and injects arbitrary shell syntax. popen() runs as root inside the PAM stack. This vulnerability is fixed in 0.8.7.

AnalysisAI

Local privilege escalation via OS command injection in pam_usb before 0.8.7 lets a low-privileged local user execute arbitrary commands as root. The flaw lives in src/tmux.c, which reads the attacker-controllable $TMUX environment variable and interpolates its socket-path component, unsanitised, inside a double-quoted string passed to popen(); a value containing a double-quote breaks out of the quoting and injects shell syntax that runs in the root-context PAM stack. No public exploit identified at time of analysis, and no EPSS or CISA KEV data was supplied, but the CVSS 8.8 (scope-changed) rating reflects straightforward, low-complexity root compromise.

Technical ContextAI

pam_usb is a PAM (Pluggable Authentication Modules) module for Linux that provides two-factor/hardware authentication using ordinary removable USB media. The vulnerable component is its tmux integration (src/tmux.c), which constructs a shell command to interact with a tmux server socket. The root cause maps to CWE-78 (Improper Neutralization of Special Elements used in an OS Command, i.e. OS Command Injection): the code takes the user-controlled $TMUX environment variable, splits it on commas to obtain the socket path, and embeds that path directly between double-quotes in a command string handed to popen(). popen() spawns /bin/sh, so any shell metacharacters or a closing double-quote in the variable are interpreted by the shell. Because PAM modules execute within the address space and privileges of the calling service (frequently root during authentication, e.g. login, su, sudo), the injected command inherits root. No CPE strings were provided in the input; affected-version identification therefore rests on the description and the GitHub advisory rather than NVD CPE data.

RemediationAI

Vendor-released patch: 0.8.7 - upgrade pam_usb to version 0.8.7 or later, which fixes the unsanitised interpolation of $TMUX in src/tmux.c, per the advisory at https://github.com/mcdope/pam_usb/security/advisories/GHSA-822m-whrh-vrj8. If immediate upgrading is not possible, compensating controls include disabling or removing the pam_usb tmux integration from the relevant PAM service configurations so the vulnerable code path in tmux.c is not invoked (trade-off: loss of tmux-aware behaviour for pam_usb), and, where feasible, sanitising or clearing the $TMUX environment variable before PAM authentication runs (e.g. via PAM env handling), with the side effect of breaking legitimate tmux session detection. Reducing or eliminating untrusted interactive local accounts on hosts that load pam_usb also limits exposure until the patch is applied. Confirm the exact patched build from the vendor advisory before deploying.

Share

EUVD-2026-32657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy