These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
pam_usb 0.9.0 fixes a logic flaw in the deny_remote feature that allowed IPv4 SSH connections to bypass remote-session detection on dual-stack (IPv6 wildcard) hosts. The vulnerability stems from an incomplete check of the ut_addr_v6 field: the code only tested ut_addr_v6[0] != 0, which fails for IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) where the IPv4 address is stored in ut_addr_v6[3]. On systems with [truncated]
pam_usb prior to 0.8.7 contains multiple command injection vulnerabilities enabling root remote code execution. The primary attack vector involves a crafted filesystem UUID containing shell metacharacters (e.g., $(id>/tmp/rce)) that is processed unsafely when pamusb-conf --reset-pads executes. USB device controllers permitting UUID modification allow payload injection during --add-device operations. A sec [truncated]
CVE-2026-44711 is a high-severity vulnerability in pam_usb, a Linux hardware authentication module that enables authentication using ordinary removable media. The flaw, present in versions prior to 0.8.7, involves symlink attacks targeting the pad directory and pad files. Successful exploitation can result in authentication bypass and root file corruption. The vulnerability was published on May 27, 2026, [truncated]
A heap-based buffer overflow vulnerability exists in pam_usb prior to version 0.9.1, affecting hardware authentication on Linux systems using removable media. The flaw resides in src/conf.c, where heap memory allocation is calculated as n_devices multiplied by sizeof(t_pusb_device) without enforcing an upper bound on n_devices. On 32-bit architectures (armv7l, i686), this multiplication can wrap around si [truncated]
pam_usb 0.9.0 and earlier contains an authentication bypass vulnerability when deny_remote=false is configured. The PAM_RHOST check, which should reject remote connections (such as XDMCP sessions), is incorrectly gated behind the deny_remote option. When administrators set deny_remote=false to accommodate display managers like GDM or LightDM, the remote host validation is also disabled. This allows remote [truncated]
pam_usb prior to 0.9.0 resolves external binaries through PATH rather than absolute paths in multiple helper tools, allowing environment-influenced binary substitution during PAM authentication. The affected components are pamusb-check (src/tmux.c), pamusb-conf (tools/pamusb-conf), and pamusb-keyring-unlock-gnome (tools/pamusb-keyring-unlock-gnome). An attacker with ability to manipulate the process envir [truncated]
pam_usb prior to version 0.9.0 is vulnerable to XPath injection due to improper validation of user-supplied and device-supplied identifiers when constructing XPath expressions to query /etc/pamusb.conf. The vulnerability allows injection of arbitrary XPath predicates through identifiers including PAM usernames, service names, USB device serial numbers, models, and vendor strings. This could enable authent [truncated]
pam_usb 0.9.0 fixes an authentication bypass in the pusb_pad_compare() function. Prior to this version, the function verified that the user-side pad file (~/.pamusb/device.pad) was readable but did not enforce that the system-side pad on the USB device was present and readable. If a local user deleted their own ~/.pamusb/device.pad, the resulting failure was treated as non-fatal in certain code paths, all [truncated]
pam_usb 0.9.0 fixes a local denial-of-service vulnerability where out-of-memory guards in xmalloc(), xrealloc(), and xstrdup() were implemented using assert(), which is compiled out when NDEBUG is defined. In release builds (common in Debian, Fedora, and Arch packages), allocation failures cause NULL pointer dereferences, crashing the PAM module and blocking authentication via sudo or login. An attacker w [truncated]