Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

pam_usb — Vulnerabilities & Security Advisories 15

All 15 CVE vulnerabilities found in pam_usb, with AI-generated Chinese analysis, references, and POCs.

This page documents known security vulnerabilities affecting pam_usb, a Pluggable Authentication Module for USB devices developed by the open-source community. It serves as a centralized repository for tracking weaknesses associated with this specific authentication tool, focusing on issues related to access control, input validation, and secure storage practices inherent to its implementation. The content collected here aggregates vulnerability records spanning from the project’s early development phases through its most recent stable releases. By consolidating data from various vendor advisories, security databases, and community reports, this page provides a comprehensive historical overview of security flaws identified in pam_usb. The time range covered ensures that users can examine both legacy issues that may still affect older deployments and contemporary findings relevant to current versions. Readers can utilize this resource to track a vendor’s advisories regarding remediation steps and patch availability. Furthermore, individuals can understand a weakness class by observing how specific vulnerabilities manifest within the context of USB-based authentication mechanisms. Users are also able to look up a product's vulnerability history to assess the overall security posture of pam_usb over time, helping them make informed decisions about deployment configurations, upgrade paths, and risk mitigation strategies without relying on fragmented information sources.

Vendor: mcdope

CVE IDTitleCVSSSeverityPublished
CVE-2026-44712 pam_usb: Shell injection via device UUID and username in pamusb-conf and pamusb-agent CWE-78 8.2 High2026-05-27
CVE-2026-44709 pam_usb: PINENTRY_FALLBACK_APP environment variable allows arbitrary command execution CWE-78 7.8 High2026-05-27
CVE-2026-44710 pam_usb: NULL pointer dereference from UDisks device fields causes PAM crash and login denial-of-service CWE-476 4.6 Medium2026-05-27
CVE-2026-44711 pam_usb: Symlink attacks on pad directory and pad files enable authentication bypass and root file corruption CWE-59 7.9 High2026-05-27
CVE-2026-44713 pam_usb: Command injection via $TMUX environment variable leads to RCE as root CWE-78 8.8 High2026-05-27
CVE-2026-47269 pam_usb: deny_remote feature incorrectly classifies IPv4-mapped IPv6 remote connections as local CWE-284 7.4 High2026-05-27
CVE-2026-47270 pam_usb: strtok() race condition in multi-threaded PAM hosts can corrupt deny_remote result CWE-362 6.3 Medium2026-05-27
CVE-2026-47271 pam_usb: OOM guards removed by -DNDEBUG cause NULL dereference and authentication process crash CWE-476 5.1 Medium2026-05-27
CVE-2026-47272 pam_usb: OTP pad authentication bypass via missing system pad check and uninitialized RNG buffer CWE-287 7.1 High2026-05-27
CVE-2026-47273 pam_usb: XPath injection via PAM-supplied identifiers in pam_usb configuration queries CWE-91 6.5 Medium2026-05-27
CVE-2026-47274 pam_usb: Uncontrolled search path in pam_usb tools allows privilege escalation via PATH manipulation CWE-427 6.3 Medium2026-05-27
CVE-2026-48064 pam_usb: PAM_RHOST check skipped when deny_remote=false allows XDMCP authentication bypass CWE-863 8.1 High2026-05-27
CVE-2026-48065 pam_usb: Unchecked integer multiplication before xmalloc() in conf.c allows heap-based buffer overflow on 32-bit targets CWE-122 6.7 Medium2026-05-27
CVE-2026-48066 pam_usb: Thread-unsafe static pointer in log.c causes data race under concurrent PAM authentication CWE-362 5.7 Medium2026-05-27
CVE-2026-48792 pam_usb: pusb_has_virtual_input_device() silently discards EACCES, disabling remote desktop detection under non-root execution CWE-390 4.4 Medium2026-05-27

All 15 known CVE vulnerabilities affecting pam_usb with full Chinese analysis, references, and POCs where available.