PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48980 mcdope CVE debrief

The pam_usb authentication module for Linux, used for hardware authentication via removable media, contains a vulnerability (CVE-2026-48980) that allows environment variable injection. This issue arises from the getenv() function being influenced by environment variables XRDP_SESSION, DISPLAY, and TMUX. Specifically, in setuid binaries like sudo and su, getenv() can return attacker-controlled values if the process environment has been manipulated by a local user. This vulnerability has been addressed in version 0.9.2 of pam_usb. Users should update to this version or later to mitigate the risk.

Vendor
mcdope
Product
pam_usb
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-22
Advisory published
2026-06-18
Advisory updated
2026-06-22

Who should care

System administrators and security professionals managing Linux systems that utilize pam_usb for authentication should be aware of this vulnerability. Updating pam_usb to version 0.9.2 or later is crucial to prevent potential environment variable injection attacks.

Technical summary

CVE-2026-48980 is a vulnerability in pam_usb that allows environment variable injection through getenv(). The affected versions of pam_usb allow local users to manipulate environment variables XRDP_SESSION, DISPLAY, and TMUX, which can influence local-check logic in PAM modules running in setuid binaries like sudo and su. This can lead to security bypasses. The vulnerability has been fixed in pam_usb version 0.9.2.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update pam_usb to version 0.9.2 or later.
  • Review and restrict the use of setuid binaries like sudo and su.
  • Monitor environment variables XRDP_SESSION, DISPLAY, and TMUX for unusual activity.
  • Implement additional security measures to restrict local user environment variable manipulation.
  • Regularly review and update Linux systems and authentication modules.
  • Consider implementing additional authentication mechanisms beyond pam_usb.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and GitHub security advisories. The CVE record and NVD detail pages provide official information about the vulnerability, while GitHub references offer patch details.

Official resources

public