CVE-2026-44713 HIGH

CVE-2026-44713: pam_usb: Command injection via $TMUX environment variable leads to RCE as root

Vendor Mcdope

Product pam_usb

Weakness CWE-78

Published May 27, 2026

Last update May 30, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen(). Because the value is placed inside double-quotes without sanitisation, any value containing " terminates the quoted string and injects arbitrary shell syntax. popen() runs as root inside the PAM stack. This vulnerability is fixed in 0.8.7.

Key dates

02Disclosure timeline

May 27, 2026 CVE published

May 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-44713

Related vulnerabilities

CVE-2026-44713: pam_usb: Command injection via $TMUX environment variable leads to RCE as root

01Description

02Disclosure timeline

03References

04Related CVE