HarborGuard / CVE
Back to search
HIGHCVE-2026-47272Published Modified CNA GitHub_M

CVE-2026-47272: pam_usb: OTP pad authentication bypass via missing system pad check and uninitialized RNG buffer

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce that the system-side pad (the pad file on the USB device) was also present and readable. If the user-side pad was deleted or unreadable, the function returned a failure that was treated as non-fatal in certain code paths, allowing authentication to succeed without the USB device being verified. A local user can delete their own ~/.pamusb/device.pad to remove the USB device requirement and authenticate without the physical device. This vulnerability is fixed in 0.9.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authentication bypass vulnerability exists in pam_usb, a PAM module that provides hardware-backed login using removable USB media. A local attacker with a low-privilege account can delete their own ~/.pamusb/device.pad file, causing the pad comparison function to return a non-fatal failure that the authentication code path incorrectly treats as a pass, eliminating the USB device requirement entirely. Successful exploitation lets an attacker authenticate to any service backed by pam_usb without possessing the physical USB device, enabling full account takeover for that user. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle pam_usb. Any image carrying an affected version of the library is flagged immediately on next scan or on first scan of a newly pushed image.

Available
Triage

HarborGuard scores this finding at CVSS 7.1 HIGH using the published v3.1 vector and weights it further against each environment's compliance policy, taking into account factors such as privileged-access or multi-factor authentication requirements. Findings are routed to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available
Patch

Because no fix version has been published upstream yet, HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix version is released. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be opened without manual intervention once the upstream patch ships.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access is required to trigger the bypass.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker only needs enough access to delete their own ~/.pamusb/device.pad file.

  • Victim interactionNot required

    No interaction from another user or administrator is needed; the attacker acts entirely on their own account.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free: deleting a single file in the attacker's home directory is enough to trigger the bypass reliably.

Blast Radius

  • The attacker authenticates to pam_usb-protected services, such as sudo, su, screen-lock, or SSH, without possessing the required physical USB device.
  • Confidential data accessible to the compromised account, including files, environment variables, and credentials stored in the home directory, is exposed to the attacker.
  • The attacker can modify, overwrite, or delete files and configurations owned by the account, potentially escalating further if the account has sudo rights.

How HarborGuard Handles This

Available on HarborGuard: images containing pam_usb versions below 0.9.0 are flagged as soon as they appear in a customer registry or build pipeline. Because no upstream fix version exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment 0.9.0 or a later corrective release is published. For customers with auto-remediation enabled, that rebuild will trigger a regression-test run and a PR opened against affected workloads without manual steps. While the upstream fix is pending, consider compensating controls such as restricting local login paths protected by pam_usb to users who genuinely need them, enforcing filesystem ACLs or immutable flags on device.pad files, or adding a secondary PAM module to enforce a second factor so that removal of the pad file alone does not complete authentication.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • mcdope / pam_usb
    < 0.9.0
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References