Security Flaw in Hardware Authentication Tool for Linux from pam_usb
CVE-2026-44709

7.8HIGH

Key Information:

Vendor: Mcdope
Status: Pam Usb
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-44709?

The pam_usb tool, designed for hardware authentication on Linux systems, contains a vulnerability prior to version 0.8.7 that allows unauthorized execution of arbitrary binaries. Specifically, the pamusb-pinentry component reads the PINENTRY_FALLBACK_APP environment variable without conducting any validation. As a result, a process that sets environment variables prior to invoking pamusb-pinentry can redirect this variable to point to any binary or script, thus executing it with the privileges inherent to the pam_usb tool chain. This flaw poses a significant security risk, and users are encouraged to upgrade to version 0.8.7 or later. More detailed information can be found in the official advisory.

Affected Version(s)

pam_usb < 0.8.7

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44709 Data

JSON

Mcdope

What is CVE-2026-44709?

Affected Version(s)

References

CVSS V3.1

Timeline