PatchSiren cyber security CVE debrief

CVE-2026-44712 mcdope CVE debrief

pam_usb prior to 0.8.7 contains multiple command injection vulnerabilities enabling root remote code execution. The primary attack vector involves a crafted filesystem UUID containing shell metacharacters (e.g., $(id>/tmp/rce)) that is processed unsafely when pamusb-conf --reset-pads executes. USB device controllers permitting UUID modification allow payload injection during --add-device operations. A secondary vector exists where the userName field from XML configuration is passed directly to os.system() in pamusb-agent, invoking a shell without sanitization. Both vulnerabilities result from improper neutralization of special elements used in OS commands (CWE-78) and improper control of generation of code (CWE-88). The CVSS 3.1 vector AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H reflects local attack vector, high privileges required, but significant scope change and complete impact triad. No known exploitation in the wild or ransomware campaign use has been documented.

Vendor: mcdope
Product: pam_usb
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-28
Advisory published: 2026-05-27
Advisory updated: 2026-05-28

Who should care

Linux system administrators using pam_usb for hardware-based authentication; security teams managing physical access controls; organizations with USB-based multi-factor authentication deployments

Technical summary

pam_usb versions before 0.8.7 fail to sanitize filesystem UUID values and XML configuration parameters before passing them to shell execution contexts. The pamusb-conf utility's --reset-pads operation and pamusb-agent's userName handling both permit arbitrary command execution as root. Attackers with ability to present a malicious USB device (via modifiable controller UUID) or modify XML configuration can achieve complete system compromise.

Defensive priority

HIGH

Recommended defensive actions

Upgrade pam_usb to version 0.8.7 or later immediately
Audit existing pam_usb configurations for suspicious UUID values or unexpected userName entries
Restrict physical USB device attachment to trusted personnel only
Consider disabling pam_usb pending patch deployment on critical systems
Review system logs for anomalous pamusb-conf or pamusb-agent execution patterns
Implement USB device whitelisting at the controller/udev level where feasible

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-jgv5-w6rm-7wxg. Fix version 0.8.7 explicitly addresses both command injection vectors. CVSS 8.2 HIGH severity assigned. CPE criteria not yet available in source corpus.

Official resources

2026-05-27