CVE-2026-44709

Source
https://cve.org/CVERecord?id=CVE-2026-44709
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44709.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44709
Aliases
  • GHSA-jxrj-q67x-wr4c
Published
2026-05-27T20:20:52.529Z
Modified
2026-07-08T08:13:28.865881070Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
pam_usb: PINENTRY_FALLBACK_APP environment variable allows arbitrary command execution
Details

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRYFALLBACKAPP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked can point PINENTRYFALLBACKAPP at an arbitrary binary or script and have it executed with the privileges of the pamusb tool chain. This vulnerability is fixed in 0.8.7.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44709.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/mcdope/pam_usb

Affected ranges

Type
GIT
Repo
https://github.com/mcdope/pam_usb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.7"
        }
    ]
}

Affected versions

0.*
0.5.0
0.7.1
0.7.2
0.7.3
0.8.3
0.8.4
v0.*
v0.7.0
v0.8.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44709.json"