Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-47272— pam_usb: OTP pad authentication bypass via missing system pad check and uninitialized RNG buffer

CVSS 7.1 · High
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-47272

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
pam_usb: OTP pad authentication bypass via missing system pad check and uninitialized RNG buffer
Source: NVD (National Vulnerability Database)
Vulnerability Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce that the system-side pad (the pad file on the USB device) was also present and readable. If the user-side pad was deleted or unreadable, the function returned a failure that was treated as non-fatal in certain code paths, allowing authentication to succeed without the USB device being verified. A local user can delete their own ~/.pamusb/device.pad to remove the USB device requirement and authenticate without the physical device. This vulnerability is fixed in 0.9.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
mcdopepam_usb < 0.9.0 -

II. Public POCs for CVE-2026-47272

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-47272

登录查看更多情报信息。

Other References for CVE-2026-47272 (1)

Same Patch Batch · mcdope · 2026-05-27 · 15 CVEs total

CVE-2026-447138.8 HIGHpam_usb: Command injection via $TMUX environment variable leads to RCE as root
CVE-2026-447128.2 HIGHpam_usb: Shell injection via device UUID and username in pamusb-conf and pamusb-agent
CVE-2026-480648.1 HIGHpam_usb: PAM_RHOST check skipped when deny_remote=false allows XDMCP authentication bypass
CVE-2026-447117.9 HIGHpam_usb: Symlink attacks on pad directory and pad files enable authentication bypass and r
CVE-2026-447097.8 HIGHpam_usb: PINENTRY_FALLBACK_APP environment variable allows arbitrary command execution
CVE-2026-472697.4 HIGHpam_usb: deny_remote feature incorrectly classifies IPv4-mapped IPv6 remote connections as
CVE-2026-480656.7 MEDIUMpam_usb: Unchecked integer multiplication before xmalloc() in conf.c allows heap-based buf
CVE-2026-472736.5 MEDIUMpam_usb: XPath injection via PAM-supplied identifiers in pam_usb configuration queries
CVE-2026-472746.3 MEDIUMpam_usb: Uncontrolled search path in pam_usb tools allows privilege escalation via PATH ma
CVE-2026-472706.3 MEDIUMpam_usb: strtok() race condition in multi-threaded PAM hosts can corrupt deny_remote resul
CVE-2026-480665.7 MEDIUMpam_usb: Thread-unsafe static pointer in log.c causes data race under concurrent PAM authe
CVE-2026-472715.1 MEDIUMpam_usb: OOM guards removed by -DNDEBUG cause NULL dereference and authentication process
CVE-2026-447104.6 MEDIUMpam_usb: NULL pointer dereference from UDisks device fields causes PAM crash and login den
CVE-2026-487924.4 MEDIUMpam_usb: pusb_has_virtual_input_device() silently discards EACCES, disabling remote deskto

IV. Related Vulnerabilities

Same product: pam_usb
Same vendor: mcdope
Same weakness: CWE-287

V. Comments for CVE-2026-47272

No comments yet

Leave a comment