CVE-2026-47272 mcdope CVE debrief

Who should care

Organizations using pam_usb for hardware-based Linux authentication, system administrators managing multi-factor authentication deployments, and security teams responsible for privilege escalation prevention on Linux endpoints.

Technical summary

The pusb_pad_compare() function in pam_usb's src/pad.c prior to 0.9.0 fails to properly enforce dual verification of authentication pads. The function checks readability of the user-side pad (~/.pamusb/device.pad) but does not similarly verify the system-side pad on the USB device. When the user-side pad is deleted or unreadable, the error return is treated as non-fatal in certain authentication paths, resulting in successful authentication without possession of the registered USB device. A local attacker can exploit this by removing their own pad file to bypass hardware-based authentication requirements.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade pam_usb to version 0.9.0 or later to obtain the fix for pusb_pad_compare()
• Audit systems for pam_usb installations and verify current version
• Review authentication logs for anomalous successful authentications that may indicate exploitation
• Ensure file permissions on ~/.pamusb/ directories restrict unauthorized modification
• Consider implementing additional authentication factors as defense in depth

Evidence notes

The vulnerability exists in src/pad.c in the pusb_pad_compare() function. The fix in version 0.9.0 enforces proper verification of both pad files. CVSS 3.1 vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. CWE-287 (Improper Authentication) and CWE-908 (Use of Uninitialized Resource) are identified as relevant weaknesses.

Official resources