Skip to main content

Pam Usb

14 CVEs product

Monthly

CVE-2026-48980 MEDIUM PATCH This Month

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware USB token authentication by manipulating the XRDP_SESSION, DISPLAY, or TMUX environment variables before invoking setuid binaries such as sudo or su. Because the PAM module calls standard getenv() - which does not sanitize values in privileged contexts - attacker-controlled environment data is used to determine whether the current session is local or remote, potentially defeating the core purpose of hardware-enforced authentication. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the authentication bypass impact makes this a high-priority upgrade for any deployment relying on pam_usb for privileged command gating.

Code Injection Pam Usb
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-48983 MEDIUM PATCH This Month

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-controlled directory, potentially exposing future OTP values before use and undermining hardware-based PAM authentication on Linux. The flaw is a classic TOCTOU pattern in per-device and per-user pad directory creation, fixed as part of a 12-issue security hardening release (0.9.2) triggered by an ongoing audit. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, successful exploitation could permit authentication bypass by a local low-privilege user.

Information Disclosure Pam Usb
NVD GitHub
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-48982 MEDIUM PATCH This Month

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local race condition (CWE-362), allowing a precisely timed concurrent write to corrupt or reuse the stored OTP pad state. Systems running pam_usb as a PAM module for SSH, sudo, or login are affected on all versions before 0.9.2; successful exploitation could silently degrade hardware authentication integrity, creating a window for USB token replay attacks. No public exploit or CISA KEV listing has been identified at time of analysis; vendor-released patch 0.9.2 resolves this and 11 additional security findings.

Information Disclosure Race Condition Pam Usb
NVD GitHub
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-48981 MEDIUM PATCH This Month

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to trigger unauthorized outbound network connections or local file reads during XML parsing, executing within privileged setuid contexts (sudo, su). The vulnerability stems from libxml2's xmlReadFile() being called with flags=0, leaving external entity processing enabled by default - a configuration-time oversight rather than a runtime input flaw. No public exploit identified at time of analysis, but the scope change (S:C in CVSS) reflects that exploitation occurs inside processes running with elevated privileges, amplifying the potential impact of any upstream compromise that enables config tampering.

XXE Pam Usb
NVD GitHub
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-48985 MEDIUM PATCH This Month

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when loginctl returns an empty Remote field during session locality checks. The crash terminates the PAM module with SIGSEGV, and depending on PAM stack control flags (required vs. optional), can deny authentication to all users of the affected service - a local denial of service with potentially severe impact on system accessibility. No active exploitation confirmed (not in CISA KEV); vendor-released patch available in version 0.9.2, which also addresses 11 additional security findings discovered during an ongoing audit.

Denial Of Service Null Pointer Dereference Pam Usb
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-48986 MEDIUM PATCH This Month

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo, sshd, or login on Linux systems using USB hardware authentication. The flaw is in usb_get_process_parent_id(), which fails to initialize *ppid on failure; pusb_local_login() reuses the same variable as both input and output in a process-tree traversal loop, so if /proc/<pid>/stat becomes unreadable mid-authentication (e.g., an ancestor process exits during the auth window), the PID is never advanced and the loop never terminates. No public exploit has been identified and KEV listing is absent; the vendor-released patch is version 0.9.2, which is strongly recommended given the criticality of the affected authentication stack components.

Denial Of Service Pam Usb
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-48984 MEDIUM PATCH This Month

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP) bytes read from removable media - resident in freed heap memory because the xfree() helper calls free() without first zeroing the buffer. On any system where a secondary use-after-free condition or heap inspection primitive is present within the same pam_usb process, an attacker could recover pad values or other credential material from those freed regions, potentially undermining the hardware authentication guarantee pam_usb is designed to provide. This is a defense-in-depth hardening gap patched in 0.9.2; no confirmed active exploitation or public exploit code has been identified at time of analysis.

Information Disclosure Pam Usb
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-47272 HIGH PATCH This Week

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by deleting their own ~/.pamusb/device.pad file. The flawed pusb_pad_compare() check in src/pad.c only confirmed the user-side pad was readable and treated its absence as a non-fatal failure in certain code paths, so authentication succeeded without the physical USB device ever being verified. There is no public exploit identified at time of analysis, but the technique is trivial - a single file deletion by the account owner.

Authentication Bypass Pam Usb
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-47273 MEDIUM PATCH This Month

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification queries against /etc/pamusb.conf, potentially bypassing USB hardware authentication entirely. PAM usernames and service names submitted through network-facing services such as SSH are passed unsanitized into XPath expressions; injecting predicates such as `' or @id='victim` causes the device-presence check to evaluate as true without the USB token physically present. No public exploit identified at time of analysis, though the GitHub security advisory, fix commit, and injection test cases demonstrating the technique are publicly available.

Code Injection Pam Usb
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47274 MEDIUM PATCH This Month

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate the process environment to substitute malicious binaries for those called by pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome, resulting in high confidentiality and integrity impact. The root cause is CWE-427 (Uncontrolled Search Path Element): all three tools resolved external binaries - including id, whoami, pidof, gnome-keyring-daemon, and pamusb-check itself - through the attacker-controllable PATH variable rather than hardcoded absolute paths. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.

Information Disclosure Pam Usb
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-48064 HIGH PATCH This Week

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authentication step over XDMCP when an administrator has set deny_remote=false - a common tweak for display managers like gdm-password or lightdm. Because the PAM_RHOST remote-client check is gated inside the same deny_remote conditional, disabling deny_remote inadvertently disables the safeguard that rejects remote connections, so a genuine remote XDMCP session is treated like a local one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (8.1) reflects full compromise of confidentiality, integrity, and availability if the attacker satisfies the configuration prerequisites.

Authentication Bypass Pam Usb
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-48065 MEDIUM PATCH This Month

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32-bit Linux platforms (armv7l, i686) by supplying a crafted configuration file with an excessive device count. The root cause is an unchecked integer multiplication in src/conf.c where n_devices * sizeof(t_pusb_device) wraps around size_t on 32-bit targets, causing xmalloc() to receive a drastically undersized allocation that is silently accepted, enabling out-of-bounds writes into heap memory. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, successful exploitation yields full confidentiality, integrity, and availability impact on the affected host.

Buffer Overflow Heap Overflow Pam Usb
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-48066 MEDIUM PATCH This Month

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, where each PAM call overwrites a shared static pointer with the address of a stack-local variable. When multiple threads invoke the PAM stack simultaneously - a normal condition in multi-threaded Linux services such as SSH daemons or display managers - one thread's logging pointer can reference another thread's already-deallocated stack frame, causing availability loss (crash/hang) or limited integrity corruption. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.

Information Disclosure Race Condition Pam Usb
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-48792 MEDIUM PATCH This Month

Authentication bypass in pam_usb prior to 0.9.1 allows a local low-privileged user to circumvent hardware token requirements by exploiting silent EACCES error suppression in the virtual input device scanner. When the PAM module's evdev.c component fails to open /dev/input/event* nodes due to permission errors, it returns a false negative indicating no virtual devices are present, and the caller in local.c proceeds with authentication as if the hardware check passed cleanly. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Pam Usb
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware USB token authentication by manipulating the XRDP_SESSION, DISPLAY, or TMUX environment variables before invoking setuid binaries such as sudo or su. Because the PAM module calls standard getenv() - which does not sanitize values in privileged contexts - attacker-controlled environment data is used to determine whether the current session is local or remote, potentially defeating the core purpose of hardware-enforced authentication. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the authentication bypass impact makes this a high-priority upgrade for any deployment relying on pam_usb for privileged command gating.

Code Injection Pam Usb
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-controlled directory, potentially exposing future OTP values before use and undermining hardware-based PAM authentication on Linux. The flaw is a classic TOCTOU pattern in per-device and per-user pad directory creation, fixed as part of a 12-issue security hardening release (0.9.2) triggered by an ongoing audit. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, successful exploitation could permit authentication bypass by a local low-privilege user.

Information Disclosure Pam Usb
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local race condition (CWE-362), allowing a precisely timed concurrent write to corrupt or reuse the stored OTP pad state. Systems running pam_usb as a PAM module for SSH, sudo, or login are affected on all versions before 0.9.2; successful exploitation could silently degrade hardware authentication integrity, creating a window for USB token replay attacks. No public exploit or CISA KEV listing has been identified at time of analysis; vendor-released patch 0.9.2 resolves this and 11 additional security findings.

Information Disclosure Race Condition Pam Usb
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to trigger unauthorized outbound network connections or local file reads during XML parsing, executing within privileged setuid contexts (sudo, su). The vulnerability stems from libxml2's xmlReadFile() being called with flags=0, leaving external entity processing enabled by default - a configuration-time oversight rather than a runtime input flaw. No public exploit identified at time of analysis, but the scope change (S:C in CVSS) reflects that exploitation occurs inside processes running with elevated privileges, amplifying the potential impact of any upstream compromise that enables config tampering.

XXE Pam Usb
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when loginctl returns an empty Remote field during session locality checks. The crash terminates the PAM module with SIGSEGV, and depending on PAM stack control flags (required vs. optional), can deny authentication to all users of the affected service - a local denial of service with potentially severe impact on system accessibility. No active exploitation confirmed (not in CISA KEV); vendor-released patch available in version 0.9.2, which also addresses 11 additional security findings discovered during an ongoing audit.

Denial Of Service Null Pointer Dereference Pam Usb
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo, sshd, or login on Linux systems using USB hardware authentication. The flaw is in usb_get_process_parent_id(), which fails to initialize *ppid on failure; pusb_local_login() reuses the same variable as both input and output in a process-tree traversal loop, so if /proc/<pid>/stat becomes unreadable mid-authentication (e.g., an ancestor process exits during the auth window), the PID is never advanced and the loop never terminates. No public exploit has been identified and KEV listing is absent; the vendor-released patch is version 0.9.2, which is strongly recommended given the criticality of the affected authentication stack components.

Denial Of Service Pam Usb
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP) bytes read from removable media - resident in freed heap memory because the xfree() helper calls free() without first zeroing the buffer. On any system where a secondary use-after-free condition or heap inspection primitive is present within the same pam_usb process, an attacker could recover pad values or other credential material from those freed regions, potentially undermining the hardware authentication guarantee pam_usb is designed to provide. This is a defense-in-depth hardening gap patched in 0.9.2; no confirmed active exploitation or public exploit code has been identified at time of analysis.

Information Disclosure Pam Usb
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by deleting their own ~/.pamusb/device.pad file. The flawed pusb_pad_compare() check in src/pad.c only confirmed the user-side pad was readable and treated its absence as a non-fatal failure in certain code paths, so authentication succeeded without the physical USB device ever being verified. There is no public exploit identified at time of analysis, but the technique is trivial - a single file deletion by the account owner.

Authentication Bypass Pam Usb
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification queries against /etc/pamusb.conf, potentially bypassing USB hardware authentication entirely. PAM usernames and service names submitted through network-facing services such as SSH are passed unsanitized into XPath expressions; injecting predicates such as `' or @id='victim` causes the device-presence check to evaluate as true without the USB token physically present. No public exploit identified at time of analysis, though the GitHub security advisory, fix commit, and injection test cases demonstrating the technique are publicly available.

Code Injection Pam Usb
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate the process environment to substitute malicious binaries for those called by pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome, resulting in high confidentiality and integrity impact. The root cause is CWE-427 (Uncontrolled Search Path Element): all three tools resolved external binaries - including id, whoami, pidof, gnome-keyring-daemon, and pamusb-check itself - through the attacker-controllable PATH variable rather than hardcoded absolute paths. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.

Information Disclosure Pam Usb
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authentication step over XDMCP when an administrator has set deny_remote=false - a common tweak for display managers like gdm-password or lightdm. Because the PAM_RHOST remote-client check is gated inside the same deny_remote conditional, disabling deny_remote inadvertently disables the safeguard that rejects remote connections, so a genuine remote XDMCP session is treated like a local one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (8.1) reflects full compromise of confidentiality, integrity, and availability if the attacker satisfies the configuration prerequisites.

Authentication Bypass Pam Usb
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32-bit Linux platforms (armv7l, i686) by supplying a crafted configuration file with an excessive device count. The root cause is an unchecked integer multiplication in src/conf.c where n_devices * sizeof(t_pusb_device) wraps around size_t on 32-bit targets, causing xmalloc() to receive a drastically undersized allocation that is silently accepted, enabling out-of-bounds writes into heap memory. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, successful exploitation yields full confidentiality, integrity, and availability impact on the affected host.

Buffer Overflow Heap Overflow Pam Usb
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, where each PAM call overwrites a shared static pointer with the address of a stack-local variable. When multiple threads invoke the PAM stack simultaneously - a normal condition in multi-threaded Linux services such as SSH daemons or display managers - one thread's logging pointer can reference another thread's already-deallocated stack frame, causing availability loss (crash/hang) or limited integrity corruption. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.

Information Disclosure Race Condition Pam Usb
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Authentication bypass in pam_usb prior to 0.9.1 allows a local low-privileged user to circumvent hardware token requirements by exploiting silent EACCES error suppression in the virtual input device scanner. When the PAM module's evdev.c component fails to open /dev/input/event* nodes due to permission errors, it returns a false negative indicating no virtual devices are present, and the caller in local.c proceeds with authentication as if the hardware check passed cleanly. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Pam Usb
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy