CVE-2026-47274 MEDIUM

CVE-2026-47274: pam_usb: Uncontrolled search path in pam_usb tools allows privilege escalation via PATH manipulation

Vendor Mcdope
Product pam_usb
Weakness CWE-427
Published May 27, 2026
Last update May 30, 2026

CVSS base score

6.3/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, multiple pam_usb helper tools resolved external binaries through the PATH environment variable rather than using absolute paths. An attacker who can influence the process environment during PAM authentication or tool execution could substitute malicious binaries. The affected tools are pamusb-check (src/tmux.c), pamusb-conf (tools/pamusb-conf), and pamusb-keyring-unlock-gnome (tools/pamusb-keyring-unlock-gnome). This vulnerability is fixed in 0.9.0.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 30, 2026 Record updated