How is CVE-2026-47269 exploited?

Network reachability (required): The attacker must reach the target SSH service over the network; systems with SSH exposed on an IPv6 wildcard address (::) and AddressFamily any are the affected population. Authentication (not-required): No credentials or account privileges are required to initiate the authentication attempt that triggers the bypass. Victim interaction (not-required): No user on the target system needs to take any action for the exploit to succeed. Attack complexity (info): Exploitation requires the attacker to already possess a physical USB device registered to the target system, and the SSH daemon must be configured with an IPv6 wildcard listener - making success dependent on specific environmental conditions rather than a simple reliable trigger.

What is the impact of CVE-2026-47269?

Reads files, credentials, and secrets accessible to the authenticated user account on the compromised system. Modifies files, configurations, and persisted data within the scope of the authenticated session. Allows lateral movement or privilege escalation attempts from an established interactive shell on the host. Effectively nullifies the deny_remote hardware authentication policy, undermining the security control the module was deployed to enforce.

Back to search

HIGHCVE-2026-47269Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-47269: pam_usb: deny_remote feature incorrectly classifies IPv4-mapped IPv6 remote connections as local

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb's deny_remote feature checks utmpx ut_addr_v6 to detect whether an authentication request originates from a remote session. The outer guard was if (utent->ut_addr_v6[0] != 0), which only tests the first 32-bit word of the 128-bit address field. IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) store the IPv4 address in ut_addr_v6[3] with ut_addr_v6[0] == 0. On systems where the SSH daemon listens on :: (IPv6 wildcard) with AddressFamily any -- common on Ubuntu and Debian -- incoming IPv4 connections are recorded in utmpx as IPv4-mapped IPv6 addresses. The outer check evaluates to false, the remote-detection block is skipped entirely, and the session is treated as local. deny_remote=true does not block the authentication. An attacker with physical access to a registered USB device can authenticate over SSH on an affected system as if they were sitting at a local terminal, bypassing the deny_remote restriction. This vulnerability is fixed in 0.9.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authentication bypass affects pam_usb, a Linux PAM module that uses removable USB media as a hardware authentication factor. The bug is reachable over the network with no authentication required, but exploitation also demands high attack complexity. A remote attacker who already possesses a registered USB device and can meet the required environmental conditions bypasses the deny_remote restriction, authenticating over SSH as if they were at a local terminal, gaining full read and write access to the system. No fix version has been published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-47269 is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle pam_usb packages below version 0.9.0. Any image in a connected registry or CI pipeline carrying an affected pam_usb build is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.4 HIGH and weighting it against each environment's compliance policy to surface appropriate urgency. Routing to the correct team inbox within each customer organization is available based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream for CVE-2026-47269, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment version 0.9.0 or a later fix is released. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target SSH service over the network; systems with SSH exposed on an IPv6 wildcard address (::) and AddressFamily any are the affected population.
AuthenticationNot required
No credentials or account privileges are required to initiate the authentication attempt that triggers the bypass.
Victim interactionNot required
No user on the target system needs to take any action for the exploit to succeed.
Attack complexityDetail
Exploitation requires the attacker to already possess a physical USB device registered to the target system, and the SSH daemon must be configured with an IPv6 wildcard listener - making success dependent on specific environmental conditions rather than a simple reliable trigger.

Blast Radius

Reads files, credentials, and secrets accessible to the authenticated user account on the compromised system.
Modifies files, configurations, and persisted data within the scope of the authenticated session.
Allows lateral movement or privilege escalation attempts from an established interactive shell on the host.
Effectively nullifies the deny_remote hardware authentication policy, undermining the security control the module was deployed to enforce.

How HarborGuard Handles This

Available on HarborGuard: images containing pam_usb packages below version 0.9.0 are detectable today across all connected registries and pipelines. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically once version 0.9.0 ships. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will fire without manual intervention at that point. In the meantime, compensating controls worth evaluating include restricting SSH listener configuration to IPv4-only (AddressFamily inet) to prevent IPv4-mapped IPv6 address recording in utmpx, applying network-policy or firewall rules to limit SSH exposure to trusted source addresses, and auditing which images in your environment bundle pam_usb with deny_remote enabled. Where compliance policy permits, HarborGuard can surface this finding with a high-severity routing tag to accelerate manual review while the upstream patch is pending.

See how HarborGuard automates this

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

mcdope / pam_usb
< 0.9.0

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References