PatchSiren cyber security CVE debrief
CVE-2026-44713 mcdope CVE debrief
A command injection vulnerability exists in pam_usb prior to version 0.8.7. The software, which provides hardware authentication for Linux using removable media, improperly handles the $TMUX environment variable in src/tmux.c. The code splits the variable on commas and interpolates the socket-path component into a shell command passed to popen() without adequate sanitization. Because the value is placed inside double-quotes without escaping, a value containing a double-quote character can terminate the quoted string and inject arbitrary shell commands. Since popen() executes as root within the PAM authentication stack, this allows privilege escalation from an authenticated local user to root. The vulnerability was published on 2026-05-27 and is fixed in pam_usb 0.8.7.
- Vendor
- mcdope
- Product
- pam_usb
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
System administrators managing Linux workstations or servers using pam_usb for hardware-based authentication; security teams responsible for PAM stack integrity; organizations relying on removable media for multi-factor authentication; developers maintaining PAM modules or authentication software using shell command execution
Technical summary
The vulnerability resides in src/tmux.c where the $TMUX environment variable is read and processed. The code splits the variable value on commas and extracts the socket-path component, which is then directly interpolated into a shell command string passed to popen(). The interpolation occurs within double-quotes without proper escaping or sanitization. A malicious value containing a double-quote character can break out of the quoted context and inject arbitrary shell syntax. Because this executes within the PAM stack as root, successful exploitation yields complete system compromise. The attack requires local access and valid user credentials to trigger PAM authentication, but no user interaction is needed during exploitation.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade pam_usb to version 0.8.7 or later to remediate this vulnerability
- Audit PAM configuration files to confirm pam_usb is in use and identify affected systems
- Review environment variable handling in custom PAM modules for similar unsafe popen() patterns
- Apply principle of least privilege by restricting PAM module execution contexts where possible
- Monitor authentication logs for anomalous pam_usb behavior or unexpected command execution
Evidence notes
The vulnerability description indicates the issue stems from unsafe shell command construction in src/tmux.c, specifically the interpolation of user-controlled $TMUX environment variable content into a double-quoted string passed to popen(). The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H reflects local attack vector with low complexity, low privileges required, no user interaction, and changed scope with high impact across confidentiality, integrity, and availability. CWE-78 (OS Command Injection) and CWE-116 (Improper Encoding or Escaping of Output) are identified as relevant weakness classifications.
Official resources
-
CVE-2026-44713 CVE record
CVE.org
-
CVE-2026-44713 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27