Description
pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, pam_usb calls xmlReadFile() with flags=0 when loading the configuration file, allowing libxml2 to process external entity references (XXE), potentially making outbound network connections or local file reads at XML parse time from the context of the authenticating process. The vulnerability requires the configuration file to contain crafted XML entity references. Since pam_usb.conf is root-owned, direct exploitation requires prior write access to the config, but the defence-in-depth impact is significant given that pam_usb.so runs in setuid contexts (sudo, su). This issue has been fixed in version 0.9.2.
Published: 2026-06-18
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because pam_usb reads its configuration file with xmlReadFile flags=0, allowing libxml2 to process external entity references. If the configuration file contains crafted entity definitions, the parsing process may cause outbound network connections or local file reads during authentication, potentially enabling an attacker who can write to pam_usb.conf to inject data or exfiltrate information. Because pam_usb is executed as a set‑uid helper for commands such as sudo or su, compromised configuration parsing could lead to privilege escalation or unauthorized data disclosure. This weakness is classified as CWE‑611 (XML External Entity (XXE) Processing).

Affected Systems

The affected product is pam_usb from the McDope project. All releases older than 0.9.2 are vulnerable. The configuration file pam_usb.conf is owned by root, so the attacker must first gain write permission to that file, but the set‑uid execution environment makes the potential impact significant if such access is achieved.

Risk and Exploitability

The CVSS score is 6.7, indicating moderate severity. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires crafting a malicious XML configuration and modifying pam_usb.conf, after which pam_usb.so will process the file as the root user during authentication. This attack vector is limited but viable in environments where the attacker can tamper with the root‑owned configuration file, such as systems with compromised local users or during supply‑chain attacks.

Generated by OpenCVE AI on June 18, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pam_usb to version 0.9.2 or later, where the XXE processing issue is fixed.
  • Ensure pam_usb.conf is owned by root and permissions are set to 600 to prevent unprivileged modification.
  • Disable pam_usb on systems where it is not required or replace it with a more secure authentication mechanism.
  • Monitor pam_usb.conf for unexpected changes and audit logs for unauthorized modifications.

Generated by OpenCVE AI on June 18, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Mcdope
Mcdope pam Usb
Vendors & Products Mcdope
Mcdope pam Usb

Thu, 18 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, pam_usb calls xmlReadFile() with flags=0 when loading the configuration file, allowing libxml2 to process external entity references (XXE), potentially making outbound network connections or local file reads at XML parse time from the context of the authenticating process. The vulnerability requires the configuration file to contain crafted XML entity references. Since pam_usb.conf is root-owned, direct exploitation requires prior write access to the config, but the defence-in-depth impact is significant given that pam_usb.so runs in setuid contexts (sudo, su). This issue has been fixed in version 0.9.2.
Title pam_usb: xmlReadFile flags=0 permits XXE network entity fetching in conf.c
Weaknesses CWE-611
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T15:19:47.899Z

Reserved: 2026-05-26T23:26:07.974Z

Link: CVE-2026-48981

cve-icon Vulnrichment

Updated: 2026-06-22T15:19:32.377Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses
  • CWE-611

    Improper Restriction of XML External Entity Reference