PatchSiren cyber security CVE debrief
CVE-2026-47270 mcdope CVE debrief
pam_usb prior to 0.9.0 contains a race condition in its deny_remote feature that can cause incorrect authentication decisions. The vulnerability stems from use of the non-reentrant strtok() function in three functions related to remote session detection. Display managers such as GDM run multiple concurrent authentication threads, and strtok()'s global state pointer creates a race condition where one thread's tokenization can corrupt another's. Additionally, pusb_tmux_get_client_tty() passes the raw pointer from getenv(TMUX) directly to strtok(), which inserts NUL bytes into the live process environment block—permanently corrupting the TMUX variable for all subsequent authentications in that long-lived process. The combined effect can cause deny_remote=true to incorrectly classify either remote sessions as local or local sessions as remote, depending on thread interleaving. This vulnerability is fixed in version 0.9.0.
- Vendor
- mcdope
- Product
- pam_usb
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
Organizations using pam_usb for hardware-based Linux authentication, particularly those with GDM or other display managers in multi-user environments, should prioritize this patch. System administrators running pam_usb with deny_remote enabled face elevated risk of authentication bypass or denial of service. Security teams in environments with mixed local/remote access policies should verify correct session detection behavior after patching.
Technical summary
The pam_usb PAM module prior to 0.9.0 uses the non-reentrant strtok() function in its deny_remote feature implementation. In display managers like GDM that spawn concurrent authentication threads, this creates a race condition where thread interleaving can corrupt tokenization state. The pusb_tmux_get_client_tty() function additionally passes getenv(TMUX) directly to strtok(), causing permanent corruption of the TMUX environment variable in long-lived processes. These issues can cause incorrect remote/local session classification, potentially allowing unauthorized access or denying legitimate access depending on timing. The vulnerability is classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization).
Defensive priority
medium
Recommended defensive actions
- Upgrade pam_usb to version 0.9.0 or later to eliminate the race condition and environment corruption vulnerabilities
- If immediate patching is not possible, consider disabling the deny_remote feature in pam_usb configuration as a temporary risk reduction measure
- Monitor authentication logs for anomalous patterns that could indicate exploitation attempts, particularly in environments using GDM or other display managers with concurrent authentication threads
- Review and test pam_usb configurations in staging environments before production deployment to ensure deny_remote behavior matches security policy expectations
- Apply principle of least privilege to pam_usb deployments, limiting its use to specific authentication contexts where hardware-based authentication provides clear security benefits
Evidence notes
The CVE description and GitHub Security Advisory confirm the race condition via strtok() in concurrent authentication threads, the environment corruption through direct getenv() pointer modification, and the fix in version 0.9.0. The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) reflects local attack vector, high attack complexity, and high impact to confidentiality and integrity.
Official resources
2026-05-27