PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44711 mcdope CVE debrief

CVE-2026-44711 is a high-severity vulnerability in pam_usb, a Linux hardware authentication module that enables authentication using ordinary removable media. The flaw, present in versions prior to 0.8.7, involves symlink attacks targeting the pad directory and pad files. Successful exploitation can result in authentication bypass and root file corruption. The vulnerability was published on May 27, 2026, and is fixed in pam_usb version 0.8.7. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H) indicates a local attack vector with low attack complexity, requiring low privileges and user interaction, with significant impact to integrity and availability. The weakness classifications include CWE-59 (Improper Link Resolution Before File Access) and CWE-287 (Improper Authentication).

Vendor
mcdope
Product
pam_usb
CVSS
HIGH 7.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-28
Advisory published
2026-05-27
Advisory updated
2026-05-28

Who should care

Linux system administrators using pam_usb for hardware-based authentication, security teams managing removable media authentication workflows, and organizations with high-integrity requirements for root filesystem protection.

Technical summary

pam_usb versions prior to 0.8.7 are vulnerable to symlink attacks on pad directories and pad files. An attacker with local access and low privileges can exploit improper link resolution (CWE-59) to bypass authentication mechanisms (CWE-287) and corrupt root-owned files. The attack requires user interaction and has a scoped impact, affecting resources beyond the vulnerable component. The vulnerability is resolved in version 0.8.7.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade pam_usb to version 0.8.7 or later to remediate this vulnerability.
  • Review systems for unauthorized authentication events or unexpected root file modifications that may indicate exploitation.
  • Audit file permissions and symlink handling in pam_usb pad directories to ensure secure configuration.
  • Monitor for anomalous removable media mounting and authentication patterns on Linux systems using pam_usb.

Evidence notes

Vulnerability description and fix version confirmed via NVD and GitHub Security Advisory. CVSS vector and weakness enumerations sourced from official vulnerability databases.

Official resources

2026-05-27