CVE-2026-47269

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.0

Description The deny remote feature incorrectly classifies IPv4-mapped IPv6 remote connections as local sessions. This occurs because the system checks the ut addr v6 field of utmpx using a guard if (utent->ut addr v6[0] != 0), which only validates the first 32-bit word of the 128-bit address field. IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) store the IPv4 address in ut addr v6[3] while ut addr v6[0] remains 0. On systems where the SSH daemon listens on the IPv6 wildcard (::) with AddressFamily any, such as common Ubuntu and Debian configurations, incoming IPv4 connections are recorded as IPv4-mapped IPv6 addresses. Consequently, the remote-detection block is skipped, and the session is treated as local, allowing the deny remote=true setting to be bypassed. An attacker with physical access to a registered USB device can authenticate over SSH as if they were at a local terminal.

Recommendations Update to version 0.9.0.