How is CVE-2026-44709 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target service is required. Authentication (required): Any low-privilege local account is sufficient to set environment variables before pamusb-pinentry is invoked. Victim interaction (not-required): No user interaction is needed; the attacker sets the environment variable and waits for or triggers a pam_usb authentication flow. Attack complexity (info): The exploit is reliable and condition-free: no race conditions, memory layout dependencies, or special environmental factors are required.

What is the impact of CVE-2026-44709?

Reads sensitive files and credentials accessible to the pam_usb privilege level, including authentication material on the host. Writes or modifies files owned by the elevated process, enabling persistent backdoors or configuration tampering. Executes arbitrary binaries with the elevated privileges of the pam_usb tool chain, allowing full local privilege escalation. Disrupts the authentication subsystem itself by replacing or corrupting pam_usb components.

Back to search

HIGHCVE-2026-44709Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-44709: pam_usb: PINENTRY_FALLBACK_APP environment variable allows arbitrary command execution

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked can point PINENTRY_FALLBACK_APP at an arbitrary binary or script and have it executed with the privileges of the pam_usb tool chain. This vulnerability is fixed in 0.8.7.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An environment-variable injection vulnerability in pam_usb (the pamusb-pinentry component) allows a local attacker with a low-privilege account to execute arbitrary commands with the privileges of the pam_usb tool chain. The flaw is reachable locally: an attacker sets the PINENTRY_FALLBACK_APP environment variable to any binary or script before pamusb-pinentry is invoked, and that target is executed without validation. Successful exploitation gives the attacker full read, write, and execution control at the elevated privilege level of the pam_usb stack. No fix version has been published upstream yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix ships.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including internally built images that bundle pam_usb or pamusb-pinentry. Any image containing an affected version of mcdope/pam_usb (prior to 0.8.7) is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.8 HIGH based on the published v3.1 vector, and that score is applied consistently across every scanned image. Per-environment compliance policy weighting is available to adjust severity thresholds and route the finding to the appropriate team inbox within each customer organization.

Available

Patch

No upstream fix has been published as of the CVE record date, so no patched-image rebuild is currently available. HarborGuard re-evaluates the advisory on every ingest cycle; the moment an upstream fix is released, a patched-image rebuild at the fix version becomes available, and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target service is required.
AuthenticationRequired
Any low-privilege local account is sufficient to set environment variables before pamusb-pinentry is invoked.
Victim interactionNot required
No user interaction is needed; the attacker sets the environment variable and waits for or triggers a pam_usb authentication flow.
Attack complexityDetail
The exploit is reliable and condition-free: no race conditions, memory layout dependencies, or special environmental factors are required.

Blast Radius

Reads sensitive files and credentials accessible to the pam_usb privilege level, including authentication material on the host.
Writes or modifies files owned by the elevated process, enabling persistent backdoors or configuration tampering.
Executes arbitrary binaries with the elevated privileges of the pam_usb tool chain, allowing full local privilege escalation.
Disrupts the authentication subsystem itself by replacing or corrupting pam_usb components.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active against all scanned images containing pam_usb prior to version 0.8.7, with findings scored at CVSS 7.8 HIGH and routed according to each environment's compliance policy. Because no upstream fix exists at this time, no patched-image rebuild is yet available. HarborGuard re-checks the advisory on every ingest cycle and will make the rebuild available and trigger the auto-remediation flow (rebuild, regression run, PR against affected workloads) for customers with that option enabled the moment version 0.8.7 or a later fix is published. In the interim, compensating controls available within HarborGuard include network-policy isolation annotations to limit local process exposure, egress filtering recommendations to reduce attacker utility after execution, and feature-flag gating guidance to disable pam_usb in images where hardware authentication is not strictly required.

See how HarborGuard automates this

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

mcdope / pam_usb
< 0.8.7

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/mcdope/pam_usb/security/advisories/GHSA-jxrj-q67x-wr4c