PT-2026-44085 · Pam Usb · Pam Usb
Mcdope
·
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-47272
CVSS v3.1
7.1
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
pam usb versions prior to 0.9.0
Description
The
pusb pad compare() function in src/pad.c only verifies that the user-side pad (~/.pamusb/device.pad) is readable, without ensuring the system-side pad on the USB device is present and readable. If the user-side pad is deleted or unreadable, the function returns a failure that some code paths treat as non-fatal, allowing authentication to succeed without verifying the USB device. Consequently, a local user can delete their own ~/.pamusb/device.pad to bypass the physical USB device requirement.Recommendations
Update to version 0.9.0.
Fix
Improper Authentication
Use of Uninitialized Resource
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pam Usb