Vulnerability in pam_usb Authentication for Linux by mcdope
CVE-2026-47272

7.1HIGH

Key Information:

Vendor: Mcdope
Status: Pam Usb
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-47272?

The pam_usb component by mcdope, utilized for hardware authentication on Linux systems, has a significant vulnerability in functions handling device pad verification. Prior to version 0.9.0, an issue in the pusb_pad_compare() function failed to mandate the presence of the USB device’s pad file, allowing users to bypass physical device authentication simply by deleting their local pad file. This oversight permits unauthorized access, as the authentication process erroneously accepts the user-side pad as valid without confirming the integrity of the required USB hardware. This critical issue has been addressed in version 0.9.0.

Affected Version(s)

pam_usb < 0.9.0

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 18, 2026

CVE-2026-47272 Data

JSON

Mcdope

What is CVE-2026-47272?

Affected Version(s)

References

CVSS V3.1

Timeline