The vulnerability resides in pam_usb, the Linux PAM module that uses removable media for authentication. The pusb_pad_compare() function in releases before 0.9.0 validated only the existence of the user‑side pad (~/.pamusb/device.pad) and ignored the requirement that the system‑side pad stored on the USB device be present and readable. If the user deletes or makes unreadable the user‑side pad, the function returns a failure that the calling code treats as non‑fatal in certain paths, allowing authentication to succeed without verifying the physical device. The result is an authentication bypass that lets a local user log in without the USB token, effectively granting them any privileges associated with that account. This is an Authentication Bypass (CWE‑287) vulnerability with local scope.

The affected product is pam_usb from vendor mcdope. All versions older than 0.9.0 are vulnerable; version 0.9.0 and later contain the fix.

The CVSS score of 7.1 classifies the issue as high severity. The vulnerability can only be exploited by a local user who has the ability to delete or modify files in their home directory. There is no public remote exploitation surface, and the EPSS score is not available; however, because the attack requires only a local account and simple file manipulation, the likelihood of exploitation in environments where users have write access is significant. The vulnerability is not listed in CISA’s KEV catalog, but the potential for privilege escalation in privileged services that use pam_usb elevates the operational risk.