CVE-2026-44712 - Vulnerability Details

- pam_usb: Shell injection via device UUID and username in pamusb-conf and pamusb-agent

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID (some controllers allow this) can inject the payload at --add-device time. Also, userName from the XML config is passed to os.system() in pamusb-agent, which invokes a shell. This vulnerability is fixed in 0.8.7.

Published: 2026-05-27

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The pam_usb authentication module passes the removable device’s UUID and the XML configuration’s username directly to operating system utilities without sanitization. An attacker can craft a UUID containing shell metacharacters (e.g., $(id>/tmp/rce)) or alter the username field, which is then executed by pamusb-conf during pad reset or by pamusb-agent during a login attempt. This flaw enables arbitrary shell execution with root privileges, representing a severe command injection vulnerability (CWE-78, CWE-88).

Affected Systems

The affected product is pam_usb by mcdope. Any installation of pam_usb prior to version 0.8.7 is vulnerable; versions 0.8.7 and later contain the fix.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker must physically control a USB device with a malcrafted filesystem UUID or modify the XML configuration to inject the payload. Based on the description, it is inferred that the attack vector is local; it requires physical access to a vulnerable machine or the ability to supply a malicious USB device. Once executed, the attacker gains root-level access, compromising confidentiality, integrity, and availability of the entire system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mcdope

pam_usb

affected

Version	Status	Constraints
`< 0.8.7`	affected	—

No data.

Vendor Product Confidence Versions

Mcdope

Pam Usb

100%

Version	Status	Scheme	Platform
`[0,0.8.7)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade pam_usb to version 0.8.7 or later.
Remove any USB devices that have been written with a crafted filesystem UUID or altered configuration.
Restrict physical USB port usage and apply PAM policy changes to disable pam_usb for untrusted devices, or remove pam_usb from the PAM stack until the update is applied.

Generated by OpenCVE AI on May 27, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00154.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/mcdope/pam_usb/security/advisories/GHSA-jgv5-w6rm-7wxg

History

Fri, 29 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mcdope Mcdope pam Usb
Vendors & Products		Mcdope Mcdope pam Usb

Thu, 28 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 27 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID (some controllers allow this) can inject the payload at --add-device time. Also, userName from the XML config is passed to os.system() in pamusb-agent, which invokes a shell. This vulnerability is fixed in 0.8.7.
Title		pam_usb: Shell injection via device UUID and username in pamusb-conf and pamusb-agent
Weaknesses		CWE-78 CWE-88
References		https://github.com/mcdope/pam_usb/security/advisories/GHSA-jgv5-w6rm-7wxg
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Mcdope Pam Usb

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T20:24:23.131Z

Updated: 2026-05-28T13:17:14.622Z

Reserved: 2026-05-07T17:07:09.318Z

Link: CVE-2026-44712

Vulnrichment

Updated: 2026-05-28T13:17:11.486Z

NVD

Status : Deferred

Published: 2026-05-27T21:16:18.213

Modified: 2026-05-28T13:57:25.390

Link: CVE-2026-44712

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T15:49:53Z

Weaknesses

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object