CVE-2026-54411

🗓️ 14 Jun 2026 17:21:43Reported by TuranSecType

Linux-PAM pam_userdb timing side channel allows password recovery when crypt=none or invalid via repeated logins.

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2026-54411	14 Jun 202619:52	–	circl
CVE	CVE-2026-54411	14 Jun 202617:21	–	cve
Debian CVE	CVE-2026-54411	14 Jun 202617:21	–	debiancve
EUVD	EUVD-2026-36662	14 Jun 202617:21	–	euvd
NVD	CVE-2026-54411	14 Jun 202618:17	–	nvd
OSV	DEBIAN-CVE-2026-54411	14 Jun 202618:17	–	osv
OSV	ECHO-A8BA-B20F-6DDA	15 Jun 202618:02	–	osv
OSV	UBUNTU-CVE-2026-54411	15 Jun 202600:00	–	osv
Positive Technologies	PT-2026-49134	14 Jun 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-54411	16 Jun 202612:57	–	redhatcve

[
  {
    "vendor": "Linux-PAM",
    "product": "Linux-PAM",
    "collectionURL": "https://github.com/linux-pam/linux-pam",
    "repo": "https://github.com/linux-pam/linux-pam",
    "modules": [
      "pam_userdb"
    ],
    "programFiles": [
      "modules/pam_userdb/pam_userdb.c"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThanOrEqual": "1.7.2",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  }
]

Source	Link
github	www.github.com/linux-pam/linux-pam
github	www.github.com/linux-pam/linux-pam/blob/master/libpam/include/pam_inline.h
cwe	www.cwe.mitre.org/data/definitions/208.html
github	www.github.com/linux-pam/linux-pam/blob/master/modules/pam_userdb/pam_userdb.c

14 Jun 2026 17:21Current

CVSS 3.15.9

CVSS 48.2

EPSS0.0032

CWE-208