Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID (some controllers allow this) can inject the payload at --add-device time. Also, userName from the XML config is passed to os.system() in pamusb-agent, which invokes a shell. This vulnerability is fixed in 0.8.7.
Published: 2026-05-27
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The pam_usb authentication module passes the removable device’s UUID and the XML configuration’s username directly to operating system utilities without sanitization. An attacker can craft a UUID containing shell metacharacters (e.g., $(id>/tmp/rce)) or alter the username field, which is then executed by pamusb-conf during pad reset or by pamusb-agent during a login attempt. This flaw enables arbitrary shell execution with root privileges, representing a severe command injection vulnerability (CWE-78, CWE-88).

Affected Systems

The affected product is pam_usb by mcdope. Any installation of pam_usb prior to version 0.8.7 is vulnerable; versions 0.8.7 and later contain the fix.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker must physically control a USB device with a malcrafted filesystem UUID or modify the XML configuration to inject the payload. Based on the description, it is inferred that the attack vector is local; it requires physical access to a vulnerable machine or the ability to supply a malicious USB device. Once executed, the attacker gains root-level access, compromising confidentiality, integrity, and availability of the entire system.

Generated by OpenCVE AI on May 27, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pam_usb to version 0.8.7 or later.
  • Remove any USB devices that have been written with a crafted filesystem UUID or altered configuration.
  • Restrict physical USB port usage and apply PAM policy changes to disable pam_usb for untrusted devices, or remove pam_usb from the PAM stack until the update is applied.

Generated by OpenCVE AI on May 27, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID (some controllers allow this) can inject the payload at --add-device time. Also, userName from the XML config is passed to os.system() in pamusb-agent, which invokes a shell. This vulnerability is fixed in 0.8.7.
Title pam_usb: Shell injection via device UUID and username in pamusb-conf and pamusb-agent
Weaknesses CWE-78
CWE-88
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T20:24:23.131Z

Reserved: 2026-05-07T17:07:09.318Z

Link: CVE-2026-44712

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T21:16:18.213

Modified: 2026-05-27T21:16:18.213

Link: CVE-2026-44712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T22:45:44Z

Weaknesses