CVE-2026-47273 mcdope CVE debrief

Who should care

Organizations using pam_usb for hardware-based Linux authentication, system administrators managing PAM configurations, and security teams responsible for authentication infrastructure should prioritize this update.

Technical summary

The pam_usb library constructs XPath expressions using concatenated strings from multiple untrusted sources: PAM usernames, service names, and USB device attributes (serial, model, vendor). Prior to 0.9.0, these values were not sanitized against XPath metacharacters such as single quotes, brackets, and predicates. An attacker with control over any of these input vectors could inject malicious XPath predicates to alter query logic against /etc/pamusb.conf, potentially bypassing authentication requirements or extracting sensitive configuration data. The fix in 0.9.0 implements proper input validation or parameterized XPath construction to prevent injection attacks.

Defensive priority

medium

Recommended defensive actions

• Upgrade pam_usb to version 0.9.0 or later to remediate the XPath injection vulnerability.
• Review /etc/pamusb.conf for unauthorized modifications if prior versions were deployed.
• Validate that USB device identifiers in use do not contain XPath metacharacters as a defense-in-depth measure.
• Monitor authentication logs for anomalous pam_usb behavior indicating potential exploitation attempts.

Evidence notes

CVE published 2026-05-27. Fix commit 721fed08a3596cb5b4671ad702f8fdc12dcc7420 and pull request 311 address the vulnerability. GitHub Security Advisory GHSA-vfj3-5h5v-6g93 provides coordinated disclosure. CVSS 3.1 score 6.5 (MEDIUM) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N indicates network attack vector with high attack complexity, no privileges required, no user interaction, and high impact to integrity. CWE-91 (XML Injection) classified.

Official resources