CVE-2026-47274 mcdope CVE debrief

Who should care

Linux system administrators using pam_usb for hardware-based authentication; security teams managing PAM configurations; organizations relying on removable media for multi-factor authentication on Linux systems

Technical summary

The pam_usb library provides hardware authentication for Linux using removable media. Multiple helper tools in versions prior to 0.9.0 used relative binary resolution through the PATH environment variable instead of absolute paths. The affected tools—pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome—could be redirected to attacker-controlled binaries when the process environment is manipulated. This represents an uncontrolled search path element vulnerability (CWE-427). The fix in 0.9.0 replaces PATH-dependent resolution with absolute paths in all three components.

Defensive priority

medium

Recommended defensive actions

• Upgrade pam_usb to version 0.9.0 or later to obtain fixes for PATH-dependent binary resolution
• Audit PAM configuration to ensure pam_usb is updated across all authentication paths
• Review environment variable controls for PAM authentication processes to limit PATH manipulation opportunities
• Monitor for unauthorized modifications to directories in default PATH locations that could be used for binary substitution
• Verify integrity of pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome binaries after update

Evidence notes

Official CVE record published 2026-05-27. GitHub Security Advisory GHSA-pp29-w28g-r9h9 confirms affected versions and fix. Three commits (1ee87459, 52a1fd64, 993e73d8) implement the fix by using absolute paths instead of PATH-dependent resolution. CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N indicates local attack vector with high attack complexity, requiring low privileges but no user interaction, with high impact to confidentiality and integrity.

Official resources