The vulnerability allows a local user to influence the PAM module’s determination of whether a session is local or remote by injecting values into the environment variables XRDP_SESSION, DISPLAY and TMUX. The environment variable injection can cause the module to misclassify a session type, potentially letting the attacker bypass local‑check logic and gain unauthorized privileges within the PAM authentication flow. The weakness arises from the use of getenv() without sanitization in a setuid context, and it is classified as CWE-454 and CWE-807.

The issue affects the pam_usb client library used for USB‑based hardware authentication on Linux, specifically all versions before 0.9.2 released by the vendor. Users who run any earlier version of pam_usb on a system that allows manipulation of the mentioned environment variables are impacted. No specific operating system versions are listed; the flaw exists wherever the vulnerable pam_usb library is installed. The fix is provided in the 0.9.2 release, which removes the environment variable reliance.

The CVSS score of 6.3 indicates a medium severity vulnerability. Because EPSS data is not available, the likelihood of exploitation cannot be quantified, but the flaw is not listed in the CISA KEV catalog, suggesting no known active exploitation. The attack vector is inferred to be local: a legitimate local user can set the three environment variables before invoking a setuid binary such as sudo or su, thereby injecting values into the PAM module. To exploit, the attacker must have shell access to set the environment variables, and the PAM module must be configured to evaluate them during the authentication step. No network or remote exploitation is required.