How is CVE-2026-44712 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access is required to trigger the injection. Authentication (required): An admin or privileged account is needed to write the malicious UUID or username into the pam_usb configuration file. Victim interaction (not-required): No victim interaction is required; the payload executes when the affected tool processes the crafted configuration. Attack complexity (info): The exploit is reliable and condition-free once the crafted config value is in place, requiring no race conditions or special memory layout.

What is the impact of CVE-2026-44712?

The attacker executes arbitrary commands as root, gaining full control over the host system. All files and stored secrets on the host, including credentials and key material, become readable. The attacker can modify or delete any file on the system, including system binaries and persistent configuration. Host services can be crashed, reconfigured, or repurposed at the attacker's discretion.

Back to search

HIGHCVE-2026-44712Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-44712: pam_usb: Shell injection via device UUID and username in pamusb-conf and pamusb-agent

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID (some controllers allow this) can inject the payload at --add-device time. Also, userName from the XML config is passed to os.system() in pamusb-agent, which invokes a shell. This vulnerability is fixed in 0.8.7.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Shell injection vulnerabilities in pam_usb (versions before 0.8.7) allow an attacker with admin-level access to inject arbitrary shell commands through crafted device UUIDs in the configuration file or through a malicious username value passed to os.system() in pamusb-agent. The attack is local, requires high privileges to set up the malicious config, and runs with root-level scope due to how the affected tools invoke shell commands. Successful exploitation gives the attacker full read, write, and execution control over the host. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-44712 is available across all HarborGuard environments. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle pam_usb, in both registry scans and live pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 8.2 (HIGH) using the published v3.1 vector and weights findings against each customer organization's compliance policy to determine urgency and routing. Triage alerts are directed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream project ships a corrected release. Customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads automatically once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to trigger the injection.
AuthenticationRequired
An admin or privileged account is needed to write the malicious UUID or username into the pam_usb configuration file.
Victim interactionNot required
No victim interaction is required; the payload executes when the affected tool processes the crafted configuration.
Attack complexityDetail
The exploit is reliable and condition-free once the crafted config value is in place, requiring no race conditions or special memory layout.

Blast Radius

The attacker executes arbitrary commands as root, gaining full control over the host system.
All files and stored secrets on the host, including credentials and key material, become readable.
The attacker can modify or delete any file on the system, including system binaries and persistent configuration.
Host services can be crashed, reconfigured, or repurposed at the attacker's discretion.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-44712 has been published, the platform monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment the pam_usb project releases version 0.8.7 or later. In the meantime, customers can use HarborGuard policy controls to flag any image containing an affected version of pam_usb for manual review, apply network-policy isolation to hosts running pamusb-agent to limit lateral reach, and enforce file-integrity monitoring on the pam_usb configuration file to detect unauthorized UUID or username changes. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once the upstream fix is available, where compliance policy permits.

See how HarborGuard automates this

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

mcdope / pam_usb
< 0.8.7

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References

https://github.com/mcdope/pam_usb/security/advisories/GHSA-jgv5-w6rm-7wxg