CVE-2026-54411
Received Received - Intake
Timing Side-Channel in Linux-PAM pam_userdb Module

Publication date: 2026-06-14

Last updated on: 2026-06-14

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-14
Last Modified
2026-06-14
Generated
2026-06-14
AI Q&A
2026-06-14
EPSS Evaluated
N/A
NVD
CVE-2026-54411
EUVD
EUVD-2026-36662
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux-pam linux-pam 1.7.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54411 is a timing side-channel vulnerability in the Linux-PAM pam_userdb module up to version 1.7.2. It arises because the module compares plaintext passwords using functions like strncmp() or strncasecmp() after checking length equality. This comparison leaks information about the password length and the position of differing bytes by causing observable timing differences in authentication responses.

An attacker who can repeatedly attempt authentication through a service using pam_userdb configured with plaintext password storage (i.e., crypt=none, an unrecognized crypt method, or no crypt argument) can measure these timing differences to gradually recover the plaintext password of a target account.

Impact Analysis

This vulnerability can allow a local or network-adjacent attacker to recover plaintext passwords by exploiting timing differences during authentication attempts. This compromises the confidentiality of user credentials.

If exploited, it could lead to unauthorized access to user accounts without needing elevated privileges, as the attacker can deduce passwords through repeated timing measurements.

Additionally, the vulnerability may enable attackers to bypass authentication protections, increasing the risk of account compromise and potential further exploitation of affected systems.

Mitigation Strategies

To mitigate this vulnerability, administrators should review their pam_userdb module configurations to ensure that the crypt parameter is set properly and not left as none, unrecognized, or unset, which causes plaintext password comparisons.

Restricting database file permissions to limit access can reduce the risk of exploitation.

Applying updates to the latest Linux-PAM version once patches addressing this vulnerability are released is strongly recommended.

Compliance Impact

CVE-2026-54411 allows an attacker to recover plaintext passwords by exploiting timing discrepancies in the pam_userdb module when configured to store passwords in plaintext or with unsupported crypt methods.

This vulnerability can lead to unauthorized disclosure of sensitive authentication credentials, which may result in violations of confidentiality requirements mandated by standards such as GDPR and HIPAA.

Specifically, the exposure of plaintext passwords undermines data protection principles and could lead to unauthorized access to personal or protected health information, thereby impacting compliance with these regulations.

Mitigating this vulnerability by avoiding plaintext password storage and applying patches is essential to maintain compliance with security controls required by these standards.

Detection Guidance

This vulnerability involves a timing side-channel in the pam_userdb module of Linux-PAM when configured to use plaintext password comparison. Detection involves observing timing discrepancies during authentication attempts.

To detect this vulnerability on your system, you should first verify if your pam_userdb module is configured with crypt=none, an unrecognized crypt method, or without a crypt= argument, which causes plaintext password comparison.

You can check your PAM configuration files (commonly in /etc/pam.d/) for pam_userdb usage and its parameters. For example, use the following command to find relevant lines:

  • grep -r pam_userdb /etc/pam.d/

Once identified, inspect the options passed to pam_userdb to see if crypt=none or no crypt= argument is present.

To detect the timing discrepancy itself, you would need to perform repeated authentication attempts against the service using pam_userdb and measure response times precisely to identify timing variations that leak password information. This typically requires custom scripts or tools designed for timing analysis.

No specific commands for timing attack detection are provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54411. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart