15 CVEs Disclosed in Mcdope Pam Usb Linux Authentication Module — Command Injection, Auth Bypass, and Race Conditions
Fifteen vulnerabilities spanning command injection, authentication bypass, symlink attacks, and data races were disclosed on May 27, 2026, in Mcdope's Pam Usb Linux authentication module, with fixes available in version 0.9.1.
On May 27, 2026, a batch of 15 CVEs was published for Mcdope Pam Usb, a PAM module that provides hardware authentication for Linux using ordinary removable media. The vulnerabilities — ranging in severity from Medium (CVSSv3 4.4) to High (CVSSv3 8.8) — were disclosed in a tight one-hour window and affect versions prior to 0.8.7, 0.9.0, or 0.9.1 depending on the specific flaw. The breadth of bug classes — command injection, XPath injection, symlink attacks, data races, heap overflows, and missing NULL checks — makes this one of the most consequential disclosure events for the project to date.
Three of the most severe CVEs involve shell injection or arbitrary command execution. CVE-2026-44713 (CVSS 8.8) targets the tmux integration: src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen(). Because the value is placed inside double quotes without sanitization, an attacker who controls the $TMUX variable can achieve root command injection during PAM authentication. CVE-2026-44712 (CVSS 8.2) is a particularly insidious hardware-in-the-loop attack: a crafted USB device filesystem UUID — something some USB controllers allow — such as $(id>/tmp/rce) can trigger root RCE when pamusb-conf --reset-pads is run against the device. CVE-2026-44709 (CVSS 7.8) is a simpler environment-based injection: the pamusb-pinentry helper reads the PINENTRY_FALLBACK_APP environment variable and executes it directly.
Several CVEs undermine the core authentication guarantees of Pam Usb. CVE-2026-48064 (CVSS 8.1) is a critical bypass: when a PAM service is configured with deny_remote=false (commonly done for display managers such as gdm-password or lightdm), the PAM_RHOST check in pusb_do_auth() can be trivially bypassed, allowing remote authentication to be treated as local. CVE-2026-47272 (CVSS 7.1) bypasses the dual-pad verification scheme: the pusb_pad_compare() function only verified that the user-side pad could be read, but did not enforce that the system-side pad on the USB device was also present, allowing an attacker with access to the user's home directory to authenticate without possessing the physical USB device. CVE-2026-47269 (CVSS 7.4) is a logic error in the deny_remote feature: the outer guard only tests the first 32-bit word of the IPv6 address, which can produce false negatives for certain IPv4-mapped IPv6 addresses.
CVE-2026-44711 (CVSS 7.9) describes symlink attacks on the pad directory and pad files that enable both authentication bypass and root file corruption. An attacker who can create symlinks in the pad directory path can redirect writes to arbitrary files on the system. CVE-2026-47273 (CVSS 6.5) affects the configuration query layer: Pam Usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB device serial, model, vendor) to query /etc/pamusb.conf, enabling XPath injection that could alter authentication logic or leak configuration data.
CVE-2026-48065 (CVSS 6.7) is a denial-of-service vulnerability in src/conf.c that allocates heap memory proportional to n_devices without enforcing an upper bound, leading to heap exhaustion on 32-bit targets such as armv7l and i686. CVE-2026-48066 (CVSS 5.7) is a data race in src/log.c where a process-wide static pointer is written on every PAM invocation with the address of a stack-local variable, violating PAM re-entrancy requirements in multi-threaded display managers. Additional bugs include missing NULL checks in src/device.c (CVE-2026-44710, CVSS 4.6) and a logic error in src/evdev.c that silently ignores EACCES errors (CVE-2026-48792, CVSS 4.4).
Fixes span three releases: 0.8.7, 0.9.0, and 0.9.1. Users should upgrade to version 0.9.1, which covers all 15 CVEs. The coordinated disclosure highlights the risks of hardware-backed authentication modules that combine low-level USB operations with shell commands and environment variables, a pattern that has historically produced severe vulnerabilities in similar projects.