CVE-2026-47272: CWE-287: Improper Authentication in mcdope pam_usb
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce that the system-side pad (the pad file on the USB device) was also present and readable. If the user-side pad was deleted or unreadable, the function returned a failure that was treated as non-fatal in certain code paths, allowing authentication to succeed without the USB device being verified. A local user can delete their own ~/.pamusb/device.pad to remove the USB device requirement and authenticate without the physical device. This vulnerability is fixed in 0.9.0.
AI Analysis
Technical Summary
The vulnerability in pam_usb (before version 0.9.0) arises from the pusb_pad_compare() function's failure to verify the system-side pad file on the USB device during authentication. If the user-side pad file (~/.pamusb/device.pad) is missing or unreadable, the function returns a failure that is treated as non-fatal in some code paths, allowing authentication to succeed without verifying the USB device. This enables a local user to bypass the hardware authentication mechanism by deleting their user-side pad file. The issue is addressed in pam_usb version 0.9.0.
Potential Impact
A local attacker with limited privileges can bypass the USB hardware authentication requirement by deleting their own user-side pad file, allowing unauthorized authentication without the physical USB device. This compromises the integrity and confidentiality of the authentication process, potentially granting unauthorized access with high impact on confidentiality and integrity but no impact on availability.
Mitigation Recommendations
Upgrade pam_usb to version 0.9.0 or later, where this vulnerability is fixed. There is no indication of alternative mitigations or temporary fixes. Patch status is not explicitly confirmed beyond the fix in version 0.9.0, so users should verify with the vendor or project repository for the official patch and upgrade guidance.
CVE-2026-47272: CWE-287: Improper Authentication in mcdope pam_usb
Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce that the system-side pad (the pad file on the USB device) was also present and readable. If the user-side pad was deleted or unreadable, the function returned a failure that was treated as non-fatal in certain code paths, allowing authentication to succeed without the USB device being verified. A local user can delete their own ~/.pamusb/device.pad to remove the USB device requirement and authenticate without the physical device. This vulnerability is fixed in 0.9.0.
CVSS v3.1
Score 7.1high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in pam_usb (before version 0.9.0) arises from the pusb_pad_compare() function's failure to verify the system-side pad file on the USB device during authentication. If the user-side pad file (~/.pamusb/device.pad) is missing or unreadable, the function returns a failure that is treated as non-fatal in some code paths, allowing authentication to succeed without verifying the USB device. This enables a local user to bypass the hardware authentication mechanism by deleting their user-side pad file. The issue is addressed in pam_usb version 0.9.0.
Potential Impact
A local attacker with limited privileges can bypass the USB hardware authentication requirement by deleting their own user-side pad file, allowing unauthorized authentication without the physical USB device. This compromises the integrity and confidentiality of the authentication process, potentially granting unauthorized access with high impact on confidentiality and integrity but no impact on availability.
Mitigation Recommendations
Upgrade pam_usb to version 0.9.0 or later, where this vulnerability is fixed. There is no indication of alternative mitigations or temporary fixes. Patch status is not explicitly confirmed beyond the fix in version 0.9.0, so users should verify with the vendor or project repository for the official patch and upgrade guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-18T23:03:37.230Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a17519de29bf47b50e771a5
Added to database: 5/27/2026, 8:18:37 PM
Last enriched: 5/27/2026, 8:34:12 PM
Last updated: 5/29/2026, 11:05:23 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.