CVE-2026-47270

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.0

Description This issue occurs in the deny remote feature of the PAM module, which is loaded into host processes such as sudo, login, GDM, and GNOME Shell. In multi-threaded environments like GDM, three functions utilize the non-reentrant strtok() function. Because strtok() stores state in a single global pointer, concurrent authentication threads can race, allowing one thread to overwrite another's tokenization pointer. This leads to incorrect parsing of /proc environment scans or tmux session data used for remote-session detection. Furthermore, the pusb tmux get client tty() function passes a raw pointer from getenv(TMUX) directly to strtok(). Since strtok() inserts NUL bytes into the live process environment block, the TMUX variable is permanently corrupted for all subsequent code in that process. Consequently, when deny remote=true is set, the system may make incorrect authentication decisions for either remote or local sessions depending on thread interleaving.

Recommendations Update to version 0.9.0.