Severity by source
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
Root write access to config mandates PR:H and AV:L; AC:H for multi-step prerequisite; S:C because pam_usb.so executes inside setuid sudo/su processes.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, pam_usb calls xmlReadFile() with flags=0 when loading the configuration file, allowing libxml2 to process external entity references (XXE), potentially making outbound network connections or local file reads at XML parse time from the context of the authenticating process. The vulnerability requires the configuration file to contain crafted XML entity references. Since pam_usb.conf is root-owned, direct exploitation requires prior write access to the config, but the defence-in-depth impact is significant given that pam_usb.so runs in setuid contexts (sudo, su). This issue has been fixed in version 0.9.2.
AnalysisAI
XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to trigger unauthorized outbound network connections or local file reads during XML parsing, executing within privileged setuid contexts (sudo, su). The vulnerability stems from libxml2's xmlReadFile() being called with flags=0, leaving external entity processing enabled by default - a configuration-time oversight rather than a runtime input flaw. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires prior write access to /etc/pam_usb.conf, which is root-owned; gaining this access is itself a high-privilege prerequisite (PR:H). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.7 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L) accurately reflects the constrained exploitation path: an attacker must already possess root-level write access to pam_usb.conf before the XXE becomes exploitable, which limits opportunistic exploitation significantly. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has achieved root-level access to a system (through a separate vulnerability or credential theft) modifies /etc/pam_usb.conf to embed an XML external entity declaration referencing a sensitive local file such as /etc/shadow or an attacker-controlled remote URL. The next time any user invokes sudo or su, pam_usb.so is loaded into the privileged process, xmlReadFile() parses the crafted config, and libxml2 resolves the external entity - either reading the target file into memory (potentially loggable via error output or side channels) or initiating an outbound DNS/HTTP request that exfiltrates data to the attacker. … |
| Remediation | Upgrade to pam_usb 0.9.2, which resolves the XXE issue by passing explicit libxml2 parser flags to disable external entity expansion in xmlReadFile() (PR #385). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti
Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet
Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32
XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer
PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate
Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US
Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c
Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local
Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w
NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo
Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,
Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37934