Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked can point PINENTRY_FALLBACK_APP at an arbitrary binary or script and have it executed with the privileges of the pam_usb tool chain. This vulnerability is fixed in 0.8.7.
Published: 2026-05-27
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pam_usb, a Linux PAM module that allows hardware authentication via removable media, contained a flaw in version 0.8.6 and earlier. The module pamusb-pinentry reads the environment variable PINENTRY_FALLBACK_APP and executes its value directly, without validation or sanitisation. Because the variable is processed by the binary running with pam_usb privileges, any process that can inject an environment variable before pamusb-pinentry starts can execute arbitrary code with those privileges. The weakness is a classic CWE‑78 External Input Controlling System or Command Execution.

Affected Systems

The affected product is mcdope's pam_usb, specifically any installation using a version earlier than 0.8.7. The fix was introduced in release 0.8.7, which validates or removes the PINENTRY_FALLBACK_APP variable before use.

Risk and Exploitability

The CVSS score for this vulnerability is 7.8, indicating a high impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers who can run a process that sets environment variables prior to the pamusb-pinentry invocation can trigger the flaw locally, leveraging pam_usb's privileges for arbitrary command execution. While the attack requires local authority to influence the environment, the consequences could be significant if the PAM module is employed in critical authentication workflows.

Generated by OpenCVE AI on May 27, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pam_usb to version 0.8.7 or later, which removes the unsanitised execution of PINENTRY_FALLBACK_APP.
  • Ensure that the PINENTRY_FALLBACK_APP environment variable is unset or explicitly set to a safe value in any PAM configuration or user session scripts.
  • Restrict the ability of local users or untrusted processes to set or modify environment variables that are passed to pam_usb, for example by using pam_env or adjusting the PAM service configuration to sanitise the environment before invoking pam_usb.

Generated by OpenCVE AI on May 27, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked can point PINENTRY_FALLBACK_APP at an arbitrary binary or script and have it executed with the privileges of the pam_usb tool chain. This vulnerability is fixed in 0.8.7.
Title pam_usb: PINENTRY_FALLBACK_APP environment variable allows arbitrary command execution
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T20:20:52.529Z

Reserved: 2026-05-07T17:07:09.318Z

Link: CVE-2026-44709

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T21:16:17.807

Modified: 2026-05-27T21:16:17.807

Link: CVE-2026-44709

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T22:30:35Z

Weaknesses