HarborGuard / CVE
Back to search
HIGHCVE-2026-44711Published Modified CNA GitHub_M

CVE-2026-44711: pam_usb: Symlink attacks on pad directory and pad files enable authentication bypass and root file corruption

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, symlink attacks on pad directory and pad files enable authentication bypass and root file corruption. This vulnerability is fixed in 0.8.7.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a symlink attack (also called a TOCTOU or path-traversal race) in pam_usb, a Linux PAM module that uses removable USB media for hardware-based authentication. An attacker with a local low-privilege account who can induce a victim to trigger a pam_usb authentication event can replace the pad directory or pad files with symbolic links pointing to arbitrary filesystem paths. Successful exploitation allows the attacker to bypass hardware authentication entirely and corrupt or overwrite files owned by root, up to and including system files. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as version 0.8.7 or a downstream fix is published upstream.

HarborGuard Coverage

Detection

Detection of CVE-2026-44711 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle pam_usb. Any image in a customer registry or CI pipeline carrying an affected version of mcdope/pam_usb is flagged automatically.

Available
Triage

Triage is available using the CVSS v3.1 score of 7.9 (HIGH), with per-environment compliance policy weighting applied so that images in stricter compliance tiers are escalated appropriately. Findings are routed to the inbox or ticketing integration configured for each customer organization.

Available
Patch

Because no fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a pull request against affected workloads will be generated at that point without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; full administrative credentials are not needed.

  • Victim interactionRequired

    A legitimate user must trigger a pam_usb authentication event (for example, by inserting a USB device and logging in) for the symlink substitution to be leveraged.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the attacker has write access to the pad directory path; no race condition, special memory layout, or environmental tuning is required.

Blast Radius

  • Bypasses the hardware authentication check enforced by pam_usb, allowing the attacker to authenticate without possessing the required USB device.
  • Overwrites or corrupts arbitrary files on the host by redirecting the pad file path to root-owned system files, because pam_usb operates with elevated privilege during authentication.
  • Persistent system compromise is achievable if critical files such as /etc/passwd, /etc/sudoers, or init scripts are targeted for corruption or replacement.
  • No confidential data disclosure is indicated by the CVSS vector (Confidentiality: None), so the primary risk is integrity loss and availability disruption rather than data leakage.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-44711 at this time, HarborGuard monitors the advisory on every ingest cycle and will automatically surface a patched-image rebuild the moment version 0.8.7 or an equivalent downstream patch is released. For customers with auto-remediation enabled, that moment triggers a full rebuild, regression-test run, and a pull request opened against affected workloads. In the interim, compensating controls worth considering include applying strict filesystem permissions on the pam_usb pad directory so that unprivileged users cannot create or replace entries within it, enforcing SELinux or AppArmor policies that restrict which processes can write to authentication-related paths, and isolating hosts that rely on pam_usb behind network policy rules that limit interactive login surface. Customers can configure policy weighting inside HarborGuard to escalate any image containing the affected pam_usb version to a higher-priority queue until the upstream patch is confirmed.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.9
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • mcdope / pam_usb
    < 0.8.7
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H
References