Observable Timing Discrepancy in Linux-PAM's pam_userdb Module
CVE-2026-54411

6.9MEDIUM

Key Information:

Vendor: Linux-pam
Status: Linux-pam
Vendor: CVE Published:; 14 June 2026

What is CVE-2026-54411?

The pam_userdb module in Linux-PAM up to version 1.7.2 suffers from an observable timing discrepancy during plaintext-password comparisons. This vulnerability enables local or network-adjacent attackers to disclose target account passwords by analyzing response timing variations in the authentication process. When the pam_userdb module is configured with crypt=none or an unrecognized crypt method, credentials are compared in plaintext. The comparison relies on strncmp(), leading to differential timing based on the first differing byte and the length of the candidate password, thereby exposing both the password length and leading bytes. Remediation is possible using the pam_consttime_streq helper to prevent such attacks.

Affected Version(s)

Linux-PAM 0 <= 1.7.2

References

https://github.com/linux-pam/linux-pam

product

https://github.com/linux-pam/linux-pam/blob/master/module...

product

https://github.com/linux-pam/linux-pam/blob/master/libpam...

product

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 14, 2026
Vulnerability Reserved
Jun 13, 2026

Credit

Xurshidbek Sobirjonov

CVE-2026-54411 Data

JSON

Linux-pam

What is CVE-2026-54411?

Affected Version(s)

References

CVSS V4

Timeline

Credit