CVE-2026-44709
Command Injection in pam_usb via PINENTRY_FALLBACK_APP
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in pam_usb versions prior to 0.8.7, specifically in the pamusb-pinentry component. It reads the environment variable PINENTRY_FALLBACK_APP and executes it directly without validating its content. This means that any process able to set environment variables before pamusb-pinentry runs can make it execute an arbitrary binary or script with the privileges of the pam_usb tool chain.
How can this vulnerability impact me? :
This vulnerability can lead to privilege escalation because an attacker who can control environment variables can execute arbitrary code with the privileges of the pam_usb tool chain. This can compromise system security by allowing unauthorized actions, potentially leading to full system compromise.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade pam_usb to version 0.8.7 or later where the issue is fixed.