pam_usb allows hardware authentication by detecting USB removable media. In versions earlier than 0.8.7, the module reads the user's $TMUX environment variable, splits it on commas, and places the resulting socket-path component directly into a shell command that is executed by popen() as root. Because the value is interpolated into a double‑quoted string without any escaping, an attacker can include a quotation mark and arbitrary shell syntax to break out of the intended command and inject commands. This results in remote code execution with root privileges, enabling complete compromise of the affected machine. The weakness is a command injection (CWE‑78) combined with improper encoding of user input (CWE‑116).

The vulnerable module belongs to mcdope's pam_usb. All releases prior to version 0.8.7 are affected. No specific CPE identifiers are provided, but any system that runs pam_usb 0.8.6 or earlier and uses the PAM authentication stack is at risk. Upstream indicates that the fix was applied in 0.8.7, so newer releases are not vulnerable.

With a CVSS score of 8.8 the vulnerability is high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The exploitation requires an attacker to provide a crafted $TMUX environment variable before the PAM module runs. The likely attack vector is local, as the attacker must influence the environment of a user session that uses pam_usb for authentication. If the attacker gains local access or can set environment variables for a privileged process, they can execute arbitrary shell commands with root privileges. Therefore, urgent remediation is warranted.