Mcdope Pam Usb: 15 CVEs Disclosed in a Single Day — RCE, Auth Bypass, and Race Conditions
Fifteen security vulnerabilities spanning command injection, authentication bypass, symlink attacks, and data races were disclosed together on May 27, 2026, in Mcdope's Pam Usb Linux authentication module.
Key findings
- 15 CVEs disclosed together on May 27, 2026, for Mcdope Pam Usb
- Three command-injection bugs (CVE-2026-44713, CVE-2026-44712, CVE-2026-44709) carry CVSS scores of 7.8–8.8
- CVE-2026-48064 allows remote authentication bypass when deny_remote=false
- CVE-2026-44711 enables symlink-based auth bypass and root file corruption
- Fixes span three releases: 0.8.7, 0.9.0, and 0.9.1 — upgrade to 0.9.1 covers all
- Bug classes include XPath injection, heap exhaustion, data races, and missing NULL checks
On May 27, 2026, a batch of 15 CVEs was published for Mcdope Pam Usb, a PAM module that provides hardware authentication for Linux using ordinary removable media. The vulnerabilities — ranging in severity from Medium (CVSSv3 4.4) to High (CVSSv3 8.8) — were disclosed in a tight one-hour window and affect versions prior to 0.8.7, 0.9.0, or 0.9.1 depending on the specific flaw. The breadth of bug classes — command injection, XPath injection, symlink attacks, data races, heap overflows, and missing NULL checks — makes this one of the most consequential disclosure events for the project to date.
Command Injection and Code Execution (CVSS 7.9 – 8.8)
Three of the most severe CVEs involve shell injection or arbitrary command execution. CVE-2026-44713 (CVSS 8.8) targets the tmux integration: src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen(). Because the value is placed inside double quotes without sanitization, an attacker who controls the $TMUX variable can achieve root command injection during PAM authentication.
CVE-2026-44712 (CVSS 8.2) is a particularly insidious hardware-in-the-loop attack. A crafted USB device filesystem UUID — something some USB controllers allow — such as $(id>/tmp/rce) can trigger root RCE when pamusb-conf --reset-pads is run against the device. The UUID payload is interpolated into a shell command without validation.
CVE-2026-44709 (CVSS 7.8) is a simpler environment-based injection: the pamusb-pinentry helper reads the PINENTRY_FALLBACK_APP environment variable and executes it directly. Any process that can set environment variables before pamusb-pinentry is invoked can hijack execution.
Authentication Bypass and Deny_Remote Flaws (CVSS 6.3 – 8.1)
Several CVEs undermine the core authentication guarantees of Pam Usb. CVE-2026-48064 (CVSS 8.1) is a critical bypass: when a PAM service is configured with deny_remote=false (commonly done for display managers such as gdm-password or lightdm to bypass process/TTY heuristics for local sessions), the PAM_RHOST check in pusb_do_auth() can be trivially bypassed, allowing remote authentication to be treated as local.
CVE-2026-47272 (CVSS 7.1) bypasses the dual-pad verification scheme. The pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce that the system-side pad (the pad file on the USB device) was also present and readable. This allows an attacker with access to the user's home directory to authenticate without possessing the physical USB device.
CVE-2026-47269 (CVSS 7.4) is a logic error in the deny_remote feature: the outer guard if (utent->ut_addr_v6[0] != 0) only tests the first 32-bit word of the IPv6 address, which can produce false negatives for certain IPv4-mapped IPv6 addresses, allowing remote sessions to be misclassified as local.
CVE-2026-47270 (CVSS 6.3) is a related concurrency issue: three functions used by the deny_remote feature called non-reentrant library functions in a multi-threaded context. Display managers such as GDM run multiple concurrent authentication threads, making this a realistic attack surface.
Symlink Attacks and File Corruption (CVSS 7.9)
CVE-2026-44711 (CVSS 7.9) describes symlink attacks on the pad directory and pad files that enable both authentication bypass and root file corruption. An attacker who can create symlinks in the pad directory path can redirect writes to arbitrary files on the system.
XPath Injection (CVSS 6.5)
CVE-2026-47273 (CVSS 6.5) affects the configuration query layer. Pam Usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB device serial, model, vendor) to query /etc/pamusb.conf. These identifiers were not validated before interpolation, enabling XPath injection that could alter authentication logic or leak configuration data.
Heap Exhaustion on 32-bit Targets (CVSS 6.7)
CVE-2026-48065 (CVSS 6.7) is a denial-of-service vulnerability in src/conf.c. The function allocates heap memory proportional to n_devices, a count derived from libxml2 XPath evaluation of the config file, without enforcing an upper bound. On 32-bit targets (armv7l, i686 — both listed in the project's CI), this can lead to heap exhaustion and a crash.
Data Race and Re-entrancy Violation (CVSS 5.7)
CVE-2026-48066 (CVSS 5.7) is a subtle but important flaw in src/log.c. A process-wide static pointer is written on every PAM invocation with the address of a stack-local variable. This violates the PAM re-entrancy requirement and creates a data race when the PAM stack is used concurrently — a common scenario in multi-threaded display managers.
Missing NULL Checks and Silent Error Handling (CVSS 4.6 – 6.3)
CVE-2026-44710 (CVSS 4.6) sees src/device.c passing return values of udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without NULL checks. Per the GIO/UDisks API documentation, these accessors can return NULL, leading to a crash.
CVE-2026-48792 (CVSS 4.4) is a logic error in src/evdev.c: the code silently ignores EACCES errors when opening /dev/input/event* nodes, causing pusb_has_virtual_input_device() to return 0 (no virtual devices found) even when every open() call failed due to insufficient permissions. This can lead to a false sense of security regarding virtual input device detection.
CVE-2026-47274 (CVSS 6.3) covers multiple helper tools that resolved external binaries through the PATH environment variable rather than using absolute paths. An attacker who can influence the process environment during PAM authentication or tool execution can hijack these lookups.
CVE-2026-47271 (CVSS 5.1) is a build-time assertion issue: src/mem.c implemented out-of-memory guards for xmalloc(), xrealloc(), and xstrdup() using assert(data != NULL). Per the C standard, all assert() expressions are compiled out when NDEBUG is defined at build time, meaning production builds may silently return NULL pointers.
Patch Status and Mitigation
The fixes are version-dependent. CVE-2026-44709, CVE-2026-44710, CVE-2026-44711, CVE-2026-44712, and CVE-2026-44713 are fixed in 0.8.7. CVE-2026-47269, CVE-2026-47270, CVE-2026-47271, CVE-2026-47272, CVE-2026-47273, and CVE-2026-47274 are fixed in 0.9.0. CVE-2026-48064, CVE-2026-48065, CVE-2026-48066, and CVE-2026-48792 are fixed in 0.9.1. Users still on versions prior to 0.8.7 are exposed to all 15 CVEs and should upgrade to 0.9.1 immediately.
Why This Matters
Pam Usb is deployed on Linux systems where hardware-backed authentication is required — often in enterprise, government, or high-security environments. The breadth of this batch, spanning everything from physical USB device attacks to environment variable injection to concurrency bugs, means that attackers have multiple independent paths to compromise authentication. The disclosure of all 15 CVEs on a single day underscores the value of a coordinated security review for a project that had not seen significant security auditing in its history. Users should prioritize upgrading to 0.9.1 and review their Pam Usb configurations, particularly any deny_remote=false settings on display manager services.