HarborGuard / CVE
Back to search
HIGHCVE-2026-44713Published Modified CNA GitHub_M

CVE-2026-44713: pam_usb: Command injection via $TMUX environment variable leads to RCE as root

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen(). Because the value is placed inside double-quotes without sanitisation, any value containing " terminates the quoted string and injects arbitrary shell syntax. popen() runs as root inside the PAM stack. This vulnerability is fixed in 0.8.7.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Command injection in pam_usb (versions before 0.8.7) allows a local attacker with a low-privilege account to execute arbitrary commands as root. The flaw is in src/tmux.c, which reads the user-controlled $TMUX environment variable, splits it on commas, and interpolates the socket-path segment directly into a shell command passed to popen() without sanitizing double-quote characters. An attacker who can set their own environment variables can break out of the quoted string and inject arbitrary shell syntax, gaining full root-level code execution on the host. No fix version has been published upstream yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle pam_usb. Any image containing an affected version of pam_usb (below 0.8.7) is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 HIGH and weighting it against each customer environment's compliance policy to determine urgency. Routed findings are directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available as soon as the upstream maintainer ships a fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access is required to trigger the vulnerability.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker only needs enough access to set their own environment variables before triggering a PAM authentication event.

  • Victim interactionNot required

    No interaction from another user or administrator is needed; the attacker triggers the vulnerable code path entirely through their own session.

  • Attack complexityDetail

    The exploit is reliable and condition-free; placing a crafted double-quote character in the $TMUX environment variable consistently breaks the shell quoting and injects arbitrary commands.

Blast Radius

  • The injected command runs inside popen() under the PAM stack with root privileges, giving the attacker full control of the host operating system.
  • An attacker reads any file on the system, including /etc/shadow, SSH private keys, application secrets, and credential stores.
  • An attacker writes or overwrites any file, including sudoers entries, cron jobs, init scripts, or PAM configuration itself, achieving persistent root access.
  • An attacker can terminate any process or corrupt system state, causing immediate denial of service for all users on the host.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-44713 has been published, the platform monitors the advisory on every ingest cycle and will generate a patched-image rebuild automatically the moment pam_usb 0.8.7 or a later fix version is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against all affected workloads without manual intervention. In the interim, compensating controls worth considering include: restricting the $TMUX environment variable via PAM environment-stripping rules (using pam_env with a whitelist), applying Linux namespace or container isolation to limit the blast radius if the injection fires, and auditing which images in your registry bundle pam_usb using the HarborGuard component-search capability to prioritize which workloads need the most immediate attention.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • mcdope / pam_usb
    < 0.8.7
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References