CVE-2026-47270
Deferred Deferred - Pending Action
Race Condition in pam_usb Authentication Bypass

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb is a PAM module loaded into the host process (sudo, login, GDM, GNOME Shell). Display managers such as GDM run multiple concurrent authentication threads. Three functions used by the deny_remote feature called the non-reentrant strtok(), which stores state in a single global pointer. If two authentications race, one thread's strtok() call can overwrite the other's in-progress tokenisation pointer, causing incorrect parsing of the tmux session data or the /proc environ scan that backs the remote-session detection logic. Additionally, pusb_tmux_get_client_tty() passed the raw pointer returned by getenv(TMUX) directly to strtok(). getenv() returns a pointer into the live process environment block; strtok() inserts NUL bytes into that block, permanently corrupting the TMUX variable for subsequent code running in the same process. In long-lived display managers this affects all future authentications in that process. The combined effect can cause deny_remote=true to return an incorrect decision for a remote session, or an incorrect decision for a local session, depending on thread interleaving. This vulnerability is fixed in 0.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-47270
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mcdope pam_usb to 0.9.0 (exc)
mcdope pam_usb 0.9.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in pam_usb, a PAM module that provides hardware authentication for Linux using removable media. Before version 0.9.0, pam_usb was loaded into processes like sudo, login, GDM, and GNOME Shell, which can run multiple concurrent authentication threads.

The issue arises because three functions used by the deny_remote feature call the non-reentrant strtok() function, which uses a single global pointer to store state. When two authentication threads run simultaneously, one thread's strtok() call can overwrite the other's tokenization pointer, causing incorrect parsing of session data or environment scans used to detect remote sessions.

Additionally, the function pusb_tmux_get_client_tty() passes a raw pointer from getenv(TMUX) directly to strtok(). Since getenv() returns a pointer into the live process environment, strtok() modifies this environment by inserting NUL bytes, corrupting the TMUX variable for all future code in the same process.

In long-running display managers, this corruption affects all subsequent authentications, potentially causing the deny_remote feature to incorrectly identify remote or local sessions depending on thread timing. This vulnerability was fixed in pam_usb version 0.9.0.

Impact Analysis

This vulnerability can cause the deny_remote feature in pam_usb to make incorrect decisions about whether a session is remote or local. As a result, unauthorized remote sessions might be mistakenly allowed, or legitimate local sessions might be denied access.

Because pam_usb is used for hardware authentication, this flaw could lead to security bypasses where remote attackers gain access or legitimate users are blocked, impacting system security and user experience.

Furthermore, the corruption of environment variables in long-lived processes can cause unpredictable behavior in authentication processes, potentially leading to denial of service or inconsistent authentication outcomes.

Mitigation Strategies

The vulnerability is fixed in pam_usb version 0.9.0. To mitigate this vulnerability, you should upgrade pam_usb to version 0.9.0 or later.

Compliance Impact

The vulnerability in pam_usb involves race conditions and environment corruption that can cause incorrect authentication decisions regarding remote sessions. This could potentially allow unauthorized access or denial of legitimate access in multi-threaded authentication environments.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the incorrect authentication decisions caused by this vulnerability could lead to unauthorized access to sensitive systems or data, which may violate security requirements mandated by these regulations.

Therefore, organizations relying on pam_usb for authentication should consider this vulnerability as a risk to maintaining proper access controls, which are critical for compliance with data protection and privacy regulations.

Detection Guidance

This vulnerability arises from a race condition in the pam_usb PAM module versions prior to 0.9.0, caused by the use of the non-reentrant strtok() function in multi-threaded authentication processes. Detection involves identifying if your system is running pam_usb versions 0.8.6 or earlier, especially if you use display managers like GDM or GNOME Shell that run multiple concurrent authentication threads.

To detect if the vulnerable pam_usb version is installed, you can check the installed package version or the source code version. For example, on a Linux system, you might run:

  • dpkg -l | grep pam_usb
  • rpm -qa | grep pam_usb

If pam_usb is built from source, check the version in the source directory or the installed module version.

To detect if the vulnerability is actively causing issues, you can monitor authentication logs for unusual behavior or errors related to pam_usb, or check for corrupted TMUX environment variables in processes running PAM modules.

Since the vulnerability involves corruption of environment variables and race conditions during authentication, there are no direct network commands to detect exploitation. However, you can audit running processes for the presence of pam_usb and verify if the deny_remote feature behaves incorrectly by testing remote and local authentication scenarios.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart