CVE-2026-44713
Deferred Deferred - Pending Action
Command Injection in pam_usb via TMUX Environment Variable

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen(). Because the value is placed inside double-quotes without sanitisation, any value containing " terminates the quoted string and injects arbitrary shell syntax. popen() runs as root inside the PAM stack. This vulnerability is fixed in 0.8.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44713
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mcdope pam_usb to 0.8.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in pam_usb versions prior to 0.8.7, specifically in the src/tmux.c file. The code reads the user's $TMUX environment variable, splits it on commas, and directly inserts the socket-path component into a shell command executed by popen(). Because this value is placed inside double quotes without proper sanitization, an attacker can inject arbitrary shell commands by including a double-quote character in the environment variable. Since popen() runs with root privileges inside the PAM stack, this allows for privilege escalation through command injection.

Impact Analysis

This vulnerability can lead to a serious security impact because it allows an attacker with limited privileges to execute arbitrary commands as root. This can result in full system compromise, including unauthorized access, data modification, or denial of service. Since the vulnerability involves command injection in a component that handles authentication, it undermines the security of the authentication process itself.

Mitigation Strategies

To mitigate this vulnerability, upgrade pam_usb to version 0.8.7 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary commands as root, potentially leading to unauthorized access, data breaches, and system compromise.

Such unauthorized access and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and strict access controls.

Because the vulnerability affects confidentiality, integrity, and availability, organizations using vulnerable versions of pam_usb may face increased risk of non-compliance due to failure to adequately protect user data and system integrity.

Detection Guidance

This vulnerability can be detected by identifying systems running pam_usb versions prior to 0.8.7, as these versions contain the vulnerable code handling the $TMUX environment variable unsafely.

To detect the vulnerable version, you can check the installed pam_usb version with commands like:

  • dpkg -l | grep pam_usb # On Debian-based systems
  • rpm -qa | grep pam_usb # On Red Hat-based systems

Additionally, you can check for the presence of the vulnerable source file or binary and verify if the system uses pam_usb for authentication by inspecting PAM configuration files, such as /etc/pam.d/common-auth or equivalent.

Since the vulnerability involves the $TMUX environment variable being passed unsanitized to a shell command, monitoring for suspicious or unexpected values of $TMUX in user sessions or logs might help detect exploitation attempts.

No specific detection commands for the injection itself are provided, but ensuring the system is updated to pam_usb version 0.8.7 or later is the recommended mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44713. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart