CVE-2026-48980

The PAM module pam_usb is affected by a local-access vulnerability in earlier releases (pre-0.9.2) where getenv() in a PAM context returns attacker-controlled values for XRDP_SESSION, DISPLAY, and TMUX when the environment is manipulated by a local user. These values influence local-vs-remote ses...

CVE-2026-48983

CVE-2026-48983 affects pam_usb prior to version 0.9.2, where a TOCTOU race in per-device and per-user pad directory creation can be exploited via a symlink substitution. pam_usb performs a check-then-act using lstat() followed by mkdir(), allowing a local attacker to replace the target path with ...

CVE-2026-48982

CVE-2026-48982 affects pam_usb prior to version 0.9.2, where updating a one-time pad file creates a temporary file with open() lacking O_EXCL, enabling a race between concurrent processes to update the same pad. This non-atomicity can cause the stored pad to diverge from expectations, potentially...

CVE-2026-48981

The CVE-2026-48981 issue affects pam_usb for Linux, where in versions prior to 0.9.2 the module loads its configuration via xmlReadFile() with flags=0. This allows libxml2 to process external entity references (XXE) during XML parsing, potentially causing outbound network connections or local fil...

CVE-2026-48984

pamusb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree memory release helper in calls free without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data — including one-time pad bytes read fr...

CVE-2026-48985

pam_usb (Linux hardware authentication) contains a NULL dereference in pusb_is_loginctl_local() when parsing loginctl output in versions ≤ 0.9.1. If the Remote field is just a newline, strtok_r(...) returns NULL and a subsequent strcmp(is_remote, "no") dereferences NULL, causing undefined behavio...

CVE-2026-47273

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pamusb builds XPath expressions from user-supplied identifiers PAM username, service name and device-supplied identifiers USB device serial, model, vendor to query /etc/pamusb.conf. These identifiers...

CVE-2026-48065

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to ndevices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets armv7l, i686 --...

CVE-2026-48066

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/log.c contains a process-wide static pointer that is written on every PAM invocation with the address of a stack-local variable. This violates the PAM re-entrancy requirement and creates a data...

CVE-2026-48792

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/evdev.c silently ignores EACCES errors when opening /dev/input/event nodes, causing pusbhasvirtualinputdevice to return 0 no virtual devices found even when every open call failed due to...

CVE-2026-44710

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/device.c passed the return values of udisksdrivegetserial, udisksdrivegetvendor, and udisksdrivegetmodel directly to strcmp without NULL checks. The GIO/UDisks API documentation states these...

CVE-2026-44709

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRYFALLBACKAPP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked ca...

CVE-2026-44713

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen. Because the value is placed insi...

CVE-2026-44711

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, symlink attacks on pad directory and pad files enable authentication bypass and root file corruption. This vulnerability is fixed in 0.8.7...

CVE-2026-44709

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRYFALLBACKAPP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked ca...

EUVD-2026-32662

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $id/tmp/rce in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID some controllers allow this can inject the payload a...

CVE-2026-44712

pam_usb on Linux is vulnerable prior to 0.8.7 due to two issues: (1) a crafted filesystem UUID or config UUID can trigger root RCE when pamusb-conf --reset-pads is run, and (2) userName from the XML config is passed to os.system(), invoking a shell via pamusb-agent. Some USB controllers may permi...

CVE-2026-44712

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $id/tmp/rce in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID some controllers allow this can inject the payload a...

CVE-2026-44709

CVE-2026-44709 affects pam_usb: prior to version 0.8.7, the pamusb-pinentry component reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without validation. Any process that can set environment variables before pamusb-pinentry runs can point PINENTRY_FALLBACK_APP to an ...

CVE-2026-44709 pam_usb: PINENTRY_FALLBACK_APP environment variable allows arbitrary command execution

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRYFALLBACKAPP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked ca...