Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-44709— pam_usb: PINENTRY_FALLBACK_APP environment variable allows arbitrary command execution

CVSS 7.8 · High
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-44709

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
pam_usb: PINENTRY_FALLBACK_APP environment variable allows arbitrary command execution
Source: NVD (National Vulnerability Database)
Vulnerability Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked can point PINENTRY_FALLBACK_APP at an arbitrary binary or script and have it executed with the privileges of the pam_usb tool chain. This vulnerability is fixed in 0.8.7.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
mcdopepam_usb < 0.8.7 -

II. Public POCs for CVE-2026-44709

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-44709

登录查看更多情报信息。

Vendor Advisories for CVE-2026-44709 (1)

Same Patch Batch · mcdope · 2026-05-27 · 15 CVEs total

CVE-2026-447138.8 HIGHpam_usb: Command injection via $TMUX environment variable leads to RCE as root
CVE-2026-447128.2 HIGHpam_usb: Shell injection via device UUID and username in pamusb-conf and pamusb-agent
CVE-2026-480648.1 HIGHpam_usb: PAM_RHOST check skipped when deny_remote=false allows XDMCP authentication bypass
CVE-2026-447117.9 HIGHpam_usb: Symlink attacks on pad directory and pad files enable authentication bypass and r
CVE-2026-472697.4 HIGHpam_usb: deny_remote feature incorrectly classifies IPv4-mapped IPv6 remote connections as
CVE-2026-472727.1 HIGHpam_usb: OTP pad authentication bypass via missing system pad check and uninitialized RNG
CVE-2026-480656.7 MEDIUMpam_usb: Unchecked integer multiplication before xmalloc() in conf.c allows heap-based buf
CVE-2026-472736.5 MEDIUMpam_usb: XPath injection via PAM-supplied identifiers in pam_usb configuration queries
CVE-2026-472746.3 MEDIUMpam_usb: Uncontrolled search path in pam_usb tools allows privilege escalation via PATH ma
CVE-2026-472706.3 MEDIUMpam_usb: strtok() race condition in multi-threaded PAM hosts can corrupt deny_remote resul
CVE-2026-480665.7 MEDIUMpam_usb: Thread-unsafe static pointer in log.c causes data race under concurrent PAM authe
CVE-2026-472715.1 MEDIUMpam_usb: OOM guards removed by -DNDEBUG cause NULL dereference and authentication process
CVE-2026-447104.6 MEDIUMpam_usb: NULL pointer dereference from UDisks device fields causes PAM crash and login den
CVE-2026-487924.4 MEDIUMpam_usb: pusb_has_virtual_input_device() silently discards EACCES, disabling remote deskto

IV. Related Vulnerabilities

Same product: pam_usb
Same vendor: mcdope
Same weakness: CWE-78

V. Comments for CVE-2026-44709

No comments yet

Leave a comment