Skip to main content

pam_usb EUVDEUVD-2026-37937

| CVE-2026-48980 MEDIUM
External Initialization of Trusted Variables or Data Stores (CWE-454)
2026-06-18 GitHub_M
6.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
6.3 MEDIUM

Local vector and low-privilege requirement reflect mandatory local account and environment manipulation before setuid execution; C:H/I:H capture full auth bypass enabling root access via sudo.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Jun 18, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 20:05 vuln.today
Analysis Generated
Jun 18, 2026 - 20:05 vuln.today
CVE Published
Jun 18, 2026 - 19:26 cve.org
MEDIUM 6.3

DescriptionCVE.org

pam_usb provides hardware authentication for Linux using removable media. In versions prior to 0.9.2, getenv() environment variables XRDP_SESSION, DISPLAY and TMUX allow environment variable injection into local-check logic. These environment variables influence whether a current session is local or remote, and a PAM module that runs in the context of setuid binaries (sudo, su), getenv() returns attacker-controlled values whenever the process environment has been manipulated by a local user. This issue has been fixed in version 0.9.2.

AnalysisAI

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware USB token authentication by manipulating the XRDP_SESSION, DISPLAY, or TMUX environment variables before invoking setuid binaries such as sudo or su. Because the PAM module calls standard getenv() - which does not sanitize values in privileged contexts - attacker-controlled environment data is used to determine whether the current session is local or remote, potentially defeating the core purpose of hardware-enforced authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local user account on target Linux system
Delivery
Set XRDP_SESSION/DISPLAY/TMUX env vars to attacker-chosen values
Exploit
Invoke sudo or su (setuid binary triggers PAM stack)
Install
pam_usb calls getenv() and receives injected values
C2
Session misclassified as remote or non-local by pam_usb logic
Execute
Hardware USB token check bypassed
Impact
Execute privileged commands without presenting USB device

Vulnerability AssessmentAI

Exploitation Exploitation requires three specific conditions: (1) pam_usb must be installed and configured in the PAM stack for a setuid binary - specifically sudo or su - on a Linux system; (2) the attacker must hold a local user account with permission to invoke that setuid binary (PR:L); and (3) the attacker must manipulate the process environment to set one or more of XRDP_SESSION, DISPLAY, or TMUX to values that cause pam_usb's session-type check to return an unexpected classification before the setuid binary executes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.3 Medium (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) accurately captures the local-only attack surface and elevated attack complexity, but the High confidentiality and integrity sub-scores reflect that a successful exploitation achieves a complete authentication bypass - potentially granting root via sudo without a hardware token. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with a standard account sets XRDP_SESSION=1 (or manipulates DISPLAY or TMUX) in their shell environment, then invokes sudo to execute a privileged command. When pam_usb runs inside the sudo setuid process, getenv() returns the attacker-controlled value, causing the module to classify the session as a remote desktop or non-local session and alter its hardware token enforcement logic, allowing the command to proceed without presenting the required USB device. …
Remediation Upgrade pam_usb to version 0.9.2 immediately; this release replaces getenv() with secure_getenv() in the PAM context (commit #384, issue #368), which is the direct fix for this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48064 HIGH
8.1 May 27

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti

CVE-2026-47272 HIGH
7.1 May 27

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet

CVE-2026-48065 MEDIUM
6.7 May 27

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32

CVE-2026-48981 MEDIUM
6.7 Jun 18

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr

CVE-2026-47273 MEDIUM
6.5 May 27

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer

CVE-2026-47274 MEDIUM
6.3 May 27

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate

CVE-2026-48983 MEDIUM
5.8 Jun 18

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c

CVE-2026-48982 MEDIUM
5.8 Jun 18

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local

CVE-2026-48066 MEDIUM
5.7 May 27

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w

CVE-2026-48985 MEDIUM
5.5 Jun 18

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo

CVE-2026-48986 MEDIUM
4.7 Jun 18

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,

CVE-2026-48984 MEDIUM
4.7 Jun 18

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)

Share

EUVD-2026-37937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy