Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb's deny_remote feature checks utmpx ut_addr_v6 to detect whether an authentication request originates from a remote session. The outer guard was if (utent->ut_addr_v6[0] != 0), which only tests the first 32-bit word of the 128-bit address field. IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) store the IPv4 address in ut_addr_v6[3] with ut_addr_v6[0] == 0. On systems where the SSH daemon listens on :: (IPv6 wildcard) with AddressFamily any -- common on Ubuntu and Debian -- incoming IPv4 connections are recorded in utmpx as IPv4-mapped IPv6 addresses. The outer check evaluates to false, the remote-detection block is skipped entirely, and the session is treated as local. deny_remote=true does not block the authentication. An attacker with physical access to a registered USB device can authenticate over SSH on an affected system as if they were sitting at a local terminal, bypassing the deny_remote restriction. This vulnerability is fixed in 0.9.0.
Published: 2026-05-27
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pam_usb provides hardware authentication by checking the utmpx ut_addr_v6 field to decide whether an authentication request comes from a remote session. The deny_remote feature only examined the first 32‑bit word of the 128‑bit address, so IPv4‑mapped IPv6 addresses (stored in the last word) were incorrectly classified as local. This allowed an attacker who physically possessed a registered USB token to authenticate over SSH as if they were a local user, thereby bypassing the deny_remote restriction and gaining access through a remote channel.

Affected Systems

The vulnerability affects the mcdope:pam_usb package on Linux systems that use the pam_usb plug‑in for USB token authentication. Versions prior to 0.9.0 are impacted; the fix is present in 0.9.0 and later.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity with potential for remote authentication bypass. EPSS data is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker with physical access to a registered USB token connecting to an SSH service that accepts IPv6 wildcard connections with AddressFamily any, allowing the exploit to be triggered remotely.

Generated by OpenCVE AI on May 27, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pam_usb to version 0.9.0 or later, which corrects the address comparison logic.
  • Reconfigure the SSH daemon to use AddressFamily inet only or otherwise restrict remote connections from IPv4‑mapped IPv6 addresses, ensuring deny_remote remains effective.
  • Limit physical access to USB authentication devices to trusted personnel or use device whitelisting to reduce the risk of unauthorized token use.

Generated by OpenCVE AI on May 27, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb's deny_remote feature checks utmpx ut_addr_v6 to detect whether an authentication request originates from a remote session. The outer guard was if (utent->ut_addr_v6[0] != 0), which only tests the first 32-bit word of the 128-bit address field. IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) store the IPv4 address in ut_addr_v6[3] with ut_addr_v6[0] == 0. On systems where the SSH daemon listens on :: (IPv6 wildcard) with AddressFamily any -- common on Ubuntu and Debian -- incoming IPv4 connections are recorded in utmpx as IPv4-mapped IPv6 addresses. The outer check evaluates to false, the remote-detection block is skipped entirely, and the session is treated as local. deny_remote=true does not block the authentication. An attacker with physical access to a registered USB device can authenticate over SSH on an affected system as if they were sitting at a local terminal, bypassing the deny_remote restriction. This vulnerability is fixed in 0.9.0.
Title pam_usb: deny_remote feature incorrectly classifies IPv4-mapped IPv6 remote connections as local
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T20:11:44.975Z

Reserved: 2026-05-18T23:03:37.229Z

Link: CVE-2026-47269

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T21:16:18.810

Modified: 2026-05-27T21:16:18.810

Link: CVE-2026-47269

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T22:30:35Z

Weaknesses