CVE 8.8 HIGH

pam_usb: Command injection via $TMUX environment variable leads to RCE as root_CVE-2026-44713

May 27, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen(). Because the value is placed inside double-quotes without sanitisation, any value containing " terminates the quoted string and injects arbitrary shell syntax. popen() runs as root inside the PAM stack. This vulnerability is fixed in 0.8.7.

AI Analysis

Command injection vulnerability via $TMUX environment variable, allowing RCE as root

Basic Information

ID CVE-2026-44713

Source GitHub_M

Published May 27, 2026 at 20:13

Affected Product

Vendor mcdope

Product pam_usb

Version < 0.8.7

Affected Versions mcdope pam_usb < 0.8.7

CWE Classification

CWE-78 CWE-116

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor mcdope

Product pam_usb

Version < 0.8.7

References

github.com /mcdope/pam_usb/security/advisories/GHSA-822m-whrh-vrj8

{
    "lastseen": "",
    "description": "pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen(). Because the value is placed inside double-quotes without sanitisation, any value containing \" terminates the quoted string and injects arbitrary shell syntax. popen() runs as root inside the PAM stack. This vulnerability is fixed in 0.8.7.",
    "published": "2026-05-27T20:13:13.193Z",
    "modified": "2026-05-27T20:13:13.193Z",
    "type": "cve",
    "title": "pam_usb: Command injection via $TMUX environment variable leads to RCE as root",
    "source": "GitHub_M",
    "references": "https://github.com/mcdope/pam_usb/security/advisories/GHSA-822m-whrh-vrj8",
    "id": "CVE-2026-44713",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78",
        "CWE-116"
    ],
    "cvelist": null,
    "sourceData": "mcdope pam_usb < 0.8.7",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pam_usb",
    "version": "< 0.8.7",
    "vendor": "mcdope",
    "ai_description": "Command injection vulnerability via $TMUX environment variable, allowing RCE as root",
    "ai_severity": "High",
    "ai_vendor": "mcdope",
    "ai_product": "pam_usb",
    "ai_version": "< 0.8.7",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply