CVE-2026-47269
pam_usb Remote Authentication Bypass via IPv4-mapped IPv6
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in pam_usb versions prior to 0.9.0, which provides hardware authentication for Linux using removable media. The issue is in the deny_remote feature that attempts to detect if an authentication request is from a remote session by checking only the first 32-bit word of a 128-bit IPv6 address field (ut_addr_v6[0]). However, IPv4-mapped IPv6 addresses store the IPv4 address in a different part of this field (ut_addr_v6[3]) with ut_addr_v6[0] equal to zero. On systems where SSH listens on all interfaces (IPv6 wildcard) and records incoming IPv4 connections as IPv4-mapped IPv6 addresses, the check incorrectly treats remote SSH sessions as local. This allows an attacker with physical access to a registered USB device to authenticate over SSH as if they were local, bypassing the deny_remote restriction.
How can this vulnerability impact me? :
This vulnerability can allow an attacker who has physical access to a registered USB authentication device to remotely authenticate over SSH on an affected system as if they were physically present at the local terminal. This bypasses the intended deny_remote restriction, potentially giving unauthorized remote access with high confidentiality and integrity impact, as indicated by the CVSS score.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade pam_usb to version 0.9.0 or later, where the issue with the deny_remote feature is fixed.