VYPR
High severity7.8NVD Advisory· Published May 27, 2026· Updated Jun 2, 2026

CVE-2026-44709

CVE-2026-44709

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked can point PINENTRY_FALLBACK_APP at an arbitrary binary or script and have it executed with the privileges of the pam_usb tool chain. This vulnerability is fixed in 0.8.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Mcdope/Pam Usbinferred2 versions
    <0.8.7+ 1 more
    • (no CPE)range: <0.8.7
    • (no CPE)range: <0.8.7

Patches

Vulnerability mechanics

References

1

News mentions

1