CVE-2026-44712

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID (some controllers allow this) can inject the payload at --add-device time. Also, userName from the XML config is passed to os.system() in pamusb-agent, which invokes a shell. This vulnerability is fixed in 0.8.7.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/mcdope/pam_usb/security/advisories/GHSA-jgv5-w6rm-7wxg

Configurations

No configuration.

History

27 May 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-27 21:16

Updated : 2026-05-28 13:57

NVD link : CVE-2026-44712

Mitre link : CVE-2026-44712

CVE.ORG link : CVE-2026-44712

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

8.2 /10