CVE-2026-48980
Received Received - Intake
Environment Variable Injection in pam_usb Prior to 0.9.2

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: GitHub, Inc.

Description
pam_usb provides hardware authentication for Linux using removable media. In versions prior to 0.9.2, getenv() environment variables XRDP_SESSION, DISPLAY and TMUX allow environment variable injection into local-check logic. These environment variables influence whether a current session is local or remote, and a PAM module that runs in the context of setuid binaries (sudo, su), getenv() returns attacker-controlled values whenever the process environment has been manipulated by a local user. This issue has been fixed in version 0.9.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-48980
EUVD
EUVD-2026-37937
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mcdope pam_usb 0.9.2
mcdope pam_usb to 0.9.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-454 The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in pam_usb versions prior to 0.9.2 involves the use of the getenv() function to read environment variables XRDP_SESSION, DISPLAY, and TMUX. These variables influence whether a session is considered local or remote. Because pam_usb runs in the context of setuid binaries like sudo or su, getenv() can return attacker-controlled values if a local user manipulates the process environment. This allows environment variable injection into the local-check logic, potentially misleading the authentication process.

The correct approach is to use secure_getenv(), which prevents environment variable injection by returning NULL when the effective UID does not match the real UID. The vulnerability was fixed in version 0.9.2 by replacing getenv() calls with secure_getenv().

Compliance Impact

The vulnerability in pam_usb allows attacker-controlled environment variable injection into local-check logic, which can lead to unauthorized access or manipulation of privileged sessions. This poses high risks to confidentiality and integrity of sensitive information.

Such risks can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure authentication mechanisms to prevent unauthorized access.

Failure to address this vulnerability could result in non-compliance due to potential data breaches or unauthorized privilege escalation.

Impact Analysis

This vulnerability can impact you by allowing a local attacker to manipulate environment variables that influence authentication decisions in pam_usb. Since pam_usb is used for hardware authentication on Linux systems, an attacker could potentially bypass or alter authentication checks by injecting malicious environment variables.

The vulnerability affects setuid binaries like sudo and su, which run with elevated privileges. Exploiting this flaw could lead to unauthorized access or privilege escalation, compromising confidentiality and integrity of the system.

The CVSS score of 6.3 indicates a moderate severity with a local attack vector, high attack complexity, and low privileges required, but no user interaction needed.

Detection Guidance

This vulnerability involves environment variable injection via getenv() calls in pam_usb versions prior to 0.9.2, specifically affecting local-check logic for XRDP_SESSION, DISPLAY, and TMUX environment variables.

To detect if your system is vulnerable, first check the installed version of pam_usb. If it is version 0.9.1 or earlier, it is affected.

  • Run the command: `pam_usb --version` or check the package version via your package manager, e.g., `dpkg -l | grep pam_usb` or `rpm -q pam_usb`.
  • Inspect the pam_usb source or installed binaries for usage of getenv() in local-check logic, especially in files like src/local.c and src/tmux.c if source code is available.
  • Check environment variables XRDP_SESSION, DISPLAY, and TMUX in sessions where pam_usb is used, to see if they can be manipulated by local users.

Since the vulnerability is local and requires environment manipulation, monitoring for unexpected or suspicious environment variable values in sudo or su sessions may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade pam_usb to version 0.9.2 or later, where the vulnerability has been fixed by replacing unsafe getenv() calls with secure_getenv().

  • Update pam_usb to version 0.9.2 by downloading the release from the official repository or using your system's package manager if an updated package is available.
  • Until the upgrade can be applied, restrict local user access to environments where pam_usb is used, especially limiting the ability to manipulate environment variables like XRDP_SESSION, DISPLAY, and TMUX.
  • Avoid running setuid binaries such as sudo or su in environments where these environment variables can be controlled by untrusted users.

Applying compiler and linker hardening flags as done in the 0.9.2 release can also improve overall security posture.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48980. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart