CVE-2026-44712
Received Received - Intake
Remote Code Execution in pam_usb Prior to 0.8.7

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID (some controllers allow this) can inject the payload at --add-device time. Also, userName from the XML config is passed to os.system() in pamusb-agent, which invokes a shell. This vulnerability is fixed in 0.8.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-44712
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in pam_usb, a tool that provides hardware authentication for Linux using removable media. Before version 0.8.7, if a crafted UUID containing malicious code (e.g., $(id>/tmp/rce)) is placed in the configuration, it can lead to root remote code execution (RCE) when the command pamusb-conf --reset-pads is run.

Additionally, a USB device with a specially crafted filesystem UUID can inject this malicious payload during the --add-device process. Another issue is that the userName from the XML configuration is passed directly to os.system() in pamusb-agent, which executes a shell command, further enabling code execution.

This vulnerability was fixed in version 0.8.7 of pam_usb.


How can this vulnerability impact me? :

This vulnerability can allow an attacker with physical access to a system to execute arbitrary code with root privileges by using a specially crafted USB device or configuration.

The impact includes complete compromise of the affected system, allowing the attacker to gain full control, access sensitive data, modify system configurations, or disrupt system operations.

Because the attack requires local access and involves physical devices, it is a high-severity risk in environments where USB devices are used for authentication.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade pam_usb to version 0.8.7 or later, where the issue is fixed.

Avoid running pamusb-conf --reset-pads or adding USB devices with crafted filesystem UUIDs until the upgrade is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart