CVE-2026-47274 - Vulnerability Details

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, multiple pam_usb helper tools resolved external binaries through the PATH environment variable rather than using absolute paths. An attacker who can influence the process environment during PAM authentication or tool execution could substitute malicious binaries. The affected tools are pamusb-check (src/tmux.c), pamusb-conf (tools/pamusb-conf), and pamusb-keyring-unlock-gnome (tools/pamusb-keyring-unlock-gnome). This vulnerability is fixed in 0.9.0.

Published: 2026-05-27

Score: 6.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The pam_usb collection of helper tools used for hardware authentication on Linux suffers from an uncontrolled search path vulnerability. Prior to version 0.9.0, the tools resolved external binaries using the PATH environment variable instead of hard‑coded absolute paths. An attacker who can influence the process environment during PAM authentication or while invoking these tools can point PATH to a malicious binary, causing the tools to execute that binary. This substitute binary runs with the privileges of the PAM service process, enabling an attacker to gain elevated privileges on the affected system.

Affected Systems

The vulnerability affects the pam_usb package distributed by the mcdope project, specifically versions earlier than 0.9.0, which include the utilities pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is local and requires the attacker to manipulate the PATH environment for a PAM authentication or tool execution. Once the attacker succeeds, they may execute arbitrary code with elevated privileges, but the exploitation requires local access and the ability to influence the environment used by pam_usb.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mcdope

pam_usb

affected

Version	Status	Constraints
`< 0.9.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to pam_usb 0.9.0 or a newer release where the uncontrolled search path issue has been resolved.
If an upgrade is not immediately possible, ensure the PATH environment variable is either unset or set to a trusted path before pam_usb helper tools are invoked, preventing the execution of arbitrary binaries.
Verify that all pam_usb helper binaries are owned by a trusted user, placed in directories with restrictive permissions, and are not world‑writable to reduce the risk of substitution.

Generated by OpenCVE AI on May 27, 2026 at 22:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/mcdope/pam_usb/commit/1ee8745920388df48d001a8e61ba629071557937
https://github.com/mcdope/pam_usb/commit/52a1fd6413b7ffcc1a5b58ce432be42e7bf0dbd0
https://github.com/mcdope/pam_usb/commit/993e73d8bebb1d8e62677388de3402b6ec36b600
https://github.com/mcdope/pam_usb/security/advisories/GHSA-pp29-w28g-r9h9

History

Wed, 27 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, multiple pam_usb helper tools resolved external binaries through the PATH environment variable rather than using absolute paths. An attacker who can influence the process environment during PAM authentication or tool execution could substitute malicious binaries. The affected tools are pamusb-check (src/tmux.c), pamusb-conf (tools/pamusb-conf), and pamusb-keyring-unlock-gnome (tools/pamusb-keyring-unlock-gnome). This vulnerability is fixed in 0.9.0.
Title		pam_usb: Uncontrolled search path in pam_usb tools allows privilege escalation via PATH manipulation
Weaknesses		CWE-427
References		https://github.com/mcdope/pam_usb/commit/1ee8745920388df48d001a8e61ba629071557937 https://github.com/mcdope/pam_usb/commit/52a1fd6413b7ffcc1a5b58ce432be42e7bf0dbd0 https://github.com/mcdope/pam_usb/commit/993e73d8bebb1d8e62677388de3402b6ec36b600 https://github.com/mcdope/pam_usb/security/advisories/GHSA-pp29-w28g-r9h9
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T20:02:38.484Z

Updated: 2026-05-27T20:02:38.484Z

Reserved: 2026-05-18T23:03:37.230Z

Link: CVE-2026-47274

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-27T20:16:40.013

Modified: 2026-05-27T20:16:40.013

Link: CVE-2026-47274

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T22:45:44Z

Weaknesses

CWE-427

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object