CVE-2026-47272
Received Received - Intake
Authentication Bypass in pam_usb via Missing Pad Verification

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce that the system-side pad (the pad file on the USB device) was also present and readable. If the user-side pad was deleted or unreadable, the function returned a failure that was treated as non-fatal in certain code paths, allowing authentication to succeed without the USB device being verified. A local user can delete their own ~/.pamusb/device.pad to remove the USB device requirement and authenticate without the physical device. This vulnerability is fixed in 0.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-28
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-47272
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mcdope pam_usb 0.9.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade pam_usb to version 0.9.0 or later where the issue is fixed.

Until the upgrade can be performed, avoid relying solely on pam_usb authentication for security, as local users may bypass the USB device requirement by deleting their ~/.pamusb/device.pad file.


Can you explain this vulnerability to me?

The vulnerability exists in pam_usb versions prior to 0.9.0, specifically in the pusb_pad_compare() function. This function was supposed to verify both the user-side pad file (~/.pamusb/device.pad) and the system-side pad file on the USB device to authenticate a user. However, it only checked if the user-side pad was readable and did not enforce the presence or readability of the system-side pad on the USB device.

If the user-side pad file was deleted or unreadable, the function returned a failure that was treated as non-fatal in some code paths. This allowed a local user to bypass the USB device authentication requirement by deleting their own user-side pad file, enabling them to authenticate without the physical USB device.

This flaw effectively allows local users to circumvent hardware-based authentication controls.


How can this vulnerability impact me? :

This vulnerability can allow a local user to bypass the hardware authentication mechanism that pam_usb provides. By deleting their own user-side pad file, the user can authenticate without needing the physical USB device that is supposed to be required.

As a result, unauthorized access could be gained if an attacker has local access to the system, potentially compromising system security by allowing authentication without the intended hardware token.

The CVSS score of 7.1 indicates a high severity impact on confidentiality and integrity, meaning sensitive information could be exposed or altered due to this vulnerability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a local user to bypass hardware authentication by deleting their user-side pad file, enabling authentication without the physical USB device. This improper authentication weakness (CWE-287) could lead to unauthorized access to systems that rely on pam_usb for security.

Such unauthorized access risks compromising sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require strong access controls and protection of personal or health information.

Therefore, the vulnerability undermines the effectiveness of authentication controls, potentially leading to violations of regulatory requirements related to data confidentiality and access management.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the pam_usb software allowing authentication bypass if the user-side pad file (~/.pamusb/device.pad) is deleted or unreadable, while the system-side pad on the USB device is not verified. To detect if your system is vulnerable, you can check the version of pam_usb installed and verify if it is prior to 0.9.0, as the issue is fixed in version 0.9.0.

You can also check if the user-side pad file exists and is readable, and whether the system-side pad file on the USB device is present and readable. If the user-side pad file is missing or unreadable, the system may be vulnerable to authentication bypass.

Suggested commands to help detect this vulnerability include:

  • Check pam_usb version: `pam_usb --version` or check package version via your package manager (e.g., `dpkg -l | grep pam_usb` or `rpm -q pam_usb`).
  • Verify presence and permissions of user-side pad file: `ls -l ~/.pamusb/device.pad`
  • Verify presence and permissions of system-side pad file on the USB device (replace /media/usb with your mount point): `ls -l /media/usb/device.pad`
  • Attempt to authenticate with pam_usb and monitor logs for unexpected authentication successes when the user-side pad is missing.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart