Environment Variable Injection Vulnerability in pam_usb for Linux
CVE-2026-48980

6.3MEDIUM

Key Information:

Vendor: Mcdope
Status: Pam Usb
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-48980?

The pam_usb component, which provides hardware authentication on Linux systems through removable media, has a vulnerability that allows for environment variable injection. This issue arises in versions prior to 0.9.2, where specific environment variables like XRDP_SESSION, DISPLAY, and TMUX can be manipulated by local users. Such manipulation enables attackers to influence local-check logic, jeopardizing the security of processes running as setuid binaries, including 'sudo' and 'su'. This vulnerability compromises the integrity of session identification, potentially exposing systems to unauthorized access. The issue has been rectified in version 0.9.2.

Affected Version(s)

pam_usb < 0.9.2

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/mcdope/pam_usb/releases/tag/0.9.2

x_refsource_MISC

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48980 Data

JSON

Mcdope

What is CVE-2026-48980?

Affected Version(s)

References

CVSS V3.1

Timeline