CVE-2026-48980— pam_usb: getenv() used in PAM context allows environment variable injection into local-check logic
Possible ATT&CK Techniques 1AI
T1055 · Process InjectionGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48980
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
pam_usb: getenv() used in PAM context allows environment variable injection into local-check logic
Source: NVD (National Vulnerability Database)
Vulnerability Description
pam_usb provides hardware authentication for Linux using removable media. In versions prior to 0.9.2, getenv() environment variables XRDP_SESSION, DISPLAY and TMUX allow environment variable injection into local-check logic. These environment variables influence whether a current session is local or remote, and a PAM module that runs in the context of setuid binaries (sudo, su), getenv() returns attacker-controlled values whenever the process environment has been manipulated by a local user. This issue has been fixed in version 0.9.2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信任变量或数据存储的外部初始化
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-48980
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48980
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-48980 (1)
Vendor Advisories for CVE-2026-48980 (1)
Same Patch Batch · mcdope · 2026-06-18 · 7 CVEs total
| CVE-2026-48981 | 6.7 MEDIUM | pam_usb: xmlReadFile flags=0 permits XXE network entity fetching in conf.c |
| CVE-2026-48982 | 5.8 MEDIUM | pam_usb: Missing O_EXCL on pad temp file creation allows concurrent update race |
| CVE-2026-48983 | 5.8 MEDIUM | pam_usb: TOCTOU race condition in pad directory creation allows symlink substitution |
| CVE-2026-48985 | 5.5 MEDIUM | pam_usb: NULL Dereference Crash in pusb_is_loginctl_local when loginctl Returns Empty Remo |
| CVE-2026-48984 | 4.7 MEDIUM | pam_usb: xfree() does not call explicit_bzero — sensitive cryptographic material may linge |
| CVE-2026-48986 | 4.7 MEDIUM | pam_usb: Infinite loop DoS in process-tree walk when parent process exits during authentic |
IV. Related Vulnerabilities
Same product: pam_usb
- CVE-2026-48983
pam_usb: TOCTOU race condition in pad directory creation all - CVE-2026-48982
pam_usb: Missing O_EXCL on pad temp file creation allows con - CVE-2026-48981
pam_usb: xmlReadFile flags=0 permits XXE network entity fetc - CVE-2026-48985
pam_usb: NULL Dereference Crash in pusb_is_loginctl_local wh - CVE-2026-48986
pam_usb: Infinite loop DoS in process-tree walk when parent
Same vendor: mcdope
- CVE-2026-48983
pam_usb: TOCTOU race condition in pad directory creation all - CVE-2026-48982
pam_usb: Missing O_EXCL on pad temp file creation allows con - CVE-2026-48981
pam_usb: xmlReadFile flags=0 permits XXE network entity fetc - CVE-2026-48985
pam_usb: NULL Dereference Crash in pusb_is_loginctl_local wh - CVE-2026-48986
pam_usb: Infinite loop DoS in process-tree walk when parent
V. Comments for CVE-2026-48980
No comments yet