CVE-2026-47270
Race Condition in pam_usb Authentication Bypass
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in pam_usb, a PAM module that provides hardware authentication for Linux using removable media. Before version 0.9.0, pam_usb was loaded into processes like sudo, login, GDM, and GNOME Shell, which can run multiple concurrent authentication threads.
The issue arises because three functions used by the deny_remote feature call the non-reentrant strtok() function, which uses a single global pointer to store state. When two authentication threads run simultaneously, one thread's strtok() call can overwrite the other's tokenization pointer, causing incorrect parsing of session data or environment scans used to detect remote sessions.
Additionally, the function pusb_tmux_get_client_tty() passes a raw pointer from getenv(TMUX) directly to strtok(). Since getenv() returns a pointer into the live process environment, strtok() modifies this environment by inserting NUL bytes, corrupting the TMUX variable for all future code in the same process.
In long-running display managers, this corruption affects all subsequent authentications, potentially causing the deny_remote feature to incorrectly identify remote or local sessions depending on thread timing. This vulnerability was fixed in pam_usb version 0.9.0.
How can this vulnerability impact me? :
This vulnerability can cause the deny_remote feature in pam_usb to make incorrect decisions about whether a session is remote or local. As a result, unauthorized remote sessions might be mistakenly allowed, or legitimate local sessions might be denied access.
Because pam_usb is used for hardware authentication, this flaw could lead to security bypasses where remote attackers gain access or legitimate users are blocked, impacting system security and user experience.
Furthermore, the corruption of environment variables in long-lived processes can cause unpredictable behavior in authentication processes, potentially leading to denial of service or inconsistent authentication outcomes.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in pam_usb version 0.9.0. To mitigate this vulnerability, you should upgrade pam_usb to version 0.9.0 or later.