Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb is a PAM module loaded into the host process (sudo, login, GDM, GNOME Shell). Display managers such as GDM run multiple concurrent authentication threads. Three functions used by the deny_remote feature called the non-reentrant strtok(), which stores state in a single global pointer. If two authentications race, one thread's strtok() call can overwrite the other's in-progress tokenisation pointer, causing incorrect parsing of the tmux session data or the /proc environ scan that backs the remote-session detection logic. Additionally, pusb_tmux_get_client_tty() passed the raw pointer returned by getenv(TMUX) directly to strtok(). getenv() returns a pointer into the live process environment block; strtok() inserts NUL bytes into that block, permanently corrupting the TMUX variable for subsequent code running in the same process. In long-lived display managers this affects all future authentications in that process. The combined effect can cause deny_remote=true to return an incorrect decision for a remote session, or an incorrect decision for a local session, depending on thread interleaving. This vulnerability is fixed in 0.9.0.
Published: 2026-05-27
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from a race condition in pam_usb’s use of the non‑reentrant strtok() function when multiple concurrent authentication threads run in PAM hosts such as GDM, sudo, or GNOME Shell. Concurrent invocations can overwrite a global tokenisation pointer, leading to corrupted parsing of TMUX and /proc variables used by the deny_remote logic. This corrupted state can cause the PAM module to return an incorrect remote‑session decision—that is, it may inadvertently allow a remote session that should be denied or vice‑versa. Consequently, attackers could potentially bypass remote‑session checks or force a local session to be treated as remote, undermining the intended access controls and permitting unauthorized authentication.

Affected Systems

The flaw affects the open‑source pam_usb module developed by mcdope. Versions prior to 0.9.0 are vulnerable. Systems that load pam_usb into PAM hosts—such as sudo, login, GDM, or GNOME Shell—are at risk when those hosts execute authentication in multiple threads. The vulnerability arises only when the deny_remote feature is enabled, so deployments that disable this feature will not be impacted. Users should verify the installed pam_usb version; upgrading to 0.9.0 or later resolves the race condition.

Risk and Exploitability

The CVSS score of 6.3 classifies this as a medium‑severity flaw. Because the exploit requires concurrent PAM authentication threads, it is most relevant to multi‑threaded display managers; single‑threaded PAM clients are not affected. The EPSS score is not available, so the likelihood of exploitation cannot be quantified currently, but the lack of a CISA KEV listing suggests it has not yet been exploited in the wild. Nonetheless, the potential for granting unauthorized remote access warrants prompt remediation.

Generated by OpenCVE AI on May 27, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update pam_usb to version 0.9.0 or later, which removes the race condition.
  • If upgrading immediately is not possible, run display managers in single‑threaded mode or otherwise serialize PAM authentication to prevent concurrent threads.
  • As a temporary workaround, disable the deny_remote feature in pam_usb’s configuration until the module is patched.

Generated by OpenCVE AI on May 27, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb is a PAM module loaded into the host process (sudo, login, GDM, GNOME Shell). Display managers such as GDM run multiple concurrent authentication threads. Three functions used by the deny_remote feature called the non-reentrant strtok(), which stores state in a single global pointer. If two authentications race, one thread's strtok() call can overwrite the other's in-progress tokenisation pointer, causing incorrect parsing of the tmux session data or the /proc environ scan that backs the remote-session detection logic. Additionally, pusb_tmux_get_client_tty() passed the raw pointer returned by getenv(TMUX) directly to strtok(). getenv() returns a pointer into the live process environment block; strtok() inserts NUL bytes into that block, permanently corrupting the TMUX variable for subsequent code running in the same process. In long-lived display managers this affects all future authentications in that process. The combined effect can cause deny_remote=true to return an incorrect decision for a remote session, or an incorrect decision for a local session, depending on thread interleaving. This vulnerability is fixed in 0.9.0.
Title pam_usb: strtok() race condition in multi-threaded PAM hosts can corrupt deny_remote result
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T20:10:37.108Z

Reserved: 2026-05-18T23:03:37.229Z

Link: CVE-2026-47270

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T21:16:18.950

Modified: 2026-05-27T21:16:18.950

Link: CVE-2026-47270

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T22:45:44Z

Weaknesses