CVE-2026-44713
Received Received - Intake
Command Injection in pam_usb via TMUX Environment Variable

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen(). Because the value is placed inside double-quotes without sanitisation, any value containing " terminates the quoted string and injects arbitrary shell syntax. popen() runs as root inside the PAM stack. This vulnerability is fixed in 0.8.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-44713
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in pam_usb versions prior to 0.8.7, specifically in the src/tmux.c file. The code reads the user's $TMUX environment variable, splits it on commas, and directly inserts the socket-path component into a shell command executed by popen(). Because this value is placed inside double quotes without proper sanitization, an attacker can inject arbitrary shell commands by including a double-quote character in the environment variable. Since popen() runs with root privileges inside the PAM stack, this allows for privilege escalation through command injection.


How can this vulnerability impact me? :

This vulnerability can lead to a serious security impact because it allows an attacker with limited privileges to execute arbitrary commands as root. This can result in full system compromise, including unauthorized access, data modification, or denial of service. Since the vulnerability involves command injection in a component that handles authentication, it undermines the security of the authentication process itself.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade pam_usb to version 0.8.7 or later, where the issue has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart