PatchSiren cyber security CVE debrief
CVE-2026-47269 mcdope CVE debrief
pam_usb 0.9.0 fixes a logic flaw in the deny_remote feature that allowed IPv4 SSH connections to bypass remote-session detection on dual-stack (IPv6 wildcard) hosts. The vulnerability stems from an incomplete check of the ut_addr_v6 field: the code only tested ut_addr_v6[0] != 0, which fails for IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) where the IPv4 address is stored in ut_addr_v6[3]. On systems with SSH configured to listen on :: with AddressFamily any—a common default on Ubuntu and Debian—incoming IPv4 connections are recorded as IPv4-mapped IPv6 addresses in utmpx. This causes the remote-detection guard to evaluate to false, treating the session as local and allowing authentication with a registered USB device over SSH despite deny_remote=true. The CVSS 3.1 score of 7.4 (HIGH) reflects network attack vector with high attack complexity, no privileges required, no user interaction, and high impact to confidentiality and integrity. The fix was committed on 2026-05-27. No known exploitation in the wild has been reported.
- Vendor
- mcdope
- Product
- pam_usb
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
System administrators running pam_usb with deny_remote enabled on Linux hosts with dual-stack SSH configurations; security teams responsible for remote access controls and PAM module deployments; compliance officers verifying physical-presence authentication requirements.
Technical summary
The pam_usb PAM module's deny_remote feature uses utmpx ut_addr_v6 to detect remote sessions. The check if (utent->ut_addr_v6[0] != 0) only validates the first 32 bits of the 128-bit IPv6 address field. IPv4-mapped IPv6 addresses (::ffff:0:0/96) store the IPv4 address in the last 32 bits (ut_addr_v6[3]), leaving ut_addr_v6[0] as zero. When SSH listens on :: (IPv6 wildcard) with AddressFamily any, IPv4 client connections are recorded in utmpx as IPv4-mapped IPv6 addresses. The insufficient check evaluates to false, skipping remote detection and treating the session as local. An attacker with physical access to a registered USB device can authenticate over SSH, bypassing deny_remote=true. Fixed in pam_usb 0.9.0.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade pam_usb to version 0.9.0 or later to obtain the corrected remote-session detection logic.
- Verify SSH daemon configuration: if using AddressFamily any with ListenAddress ::, confirm that IPv4 connections are properly handled by updated pam_usb.
- Audit authentication logs for unexpected pam_usb successes from remote source addresses, particularly where deny_remote was expected to block.
- Review utmpx entries on affected systems to confirm IPv4-mapped IPv6 address representation matches expected patterns.
- If immediate patching is not feasible, consider restricting SSH to explicit IPv4 or IPv6 listen addresses rather than wildcard bindings to avoid the IPv4-mapped address code path.
Evidence notes
The vulnerability description and fix are corroborated by the GitHub Security Advisory and commit reference in the NVD record. The CVSS vector and CWE-284 (Improper Access Control) classification are sourced from NVD. The specific technical details regarding ut_addr_v6 field layout and IPv4-mapped IPv6 address handling are derived from the CVE description.
Official resources
The vulnerability was disclosed via GitHub Security Advisory GHSA-jmmj-qhrq-w45g on 2026-05-27, with a fix commit published the same day. The CVE record was published by NVD on 2026-05-27T21:16:18.810Z.