Vulnerability in pam_usb Authentication Tool for Linux Affects Multiple Binary Resolutions
CVE-2026-47274

6.3MEDIUM

Key Information:

Vendor

Mcdope

Status
Pam Usb
Vendor
CVE Published:
27 May 2026

What is CVE-2026-47274?

The pam_usb authentication tool for Linux is vulnerable due to the improper resolution of external binaries through the PATH environment variable instead of utilizing absolute paths. This flaw is present in versions prior to 0.9.0 and affects several helper tools including pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome. An attacker with the ability to modify the process environment during PAM authentication could exploit this vulnerability to substitute malicious executables, potentially compromising system security. The issue has been addressed in version 0.9.0.

Affected Version(s)

pam_usb < 0.9.0

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/mcdope/pam_usb/commit/1ee8745920388df4...
x_refsource_MISC
https://github.com/mcdope/pam_usb/commit/52a1fd6413b7ffcc...
x_refsource_MISC

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.