CVE-2026-54411

Source
https://cve.org/CVERecord?id=CVE-2026-54411
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54411.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54411
Downstream
Related
Published
2026-06-14T17:21:43.853Z
Modified
2026-07-09T10:14:53.344967821Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/AU:N/V:D CVSS Calculator
Summary
[none]
Details

Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pamuserdb module's plaintext-password comparison path in modules/pamuserdb/pamuserdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAMICASEARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pamuserdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.

Database specific
{
    "cna_assigner": "TuranSec",
    "cwe_ids": [
        "CWE-208"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54411.json"
}
References

Affected packages

Git / github.com/linux-pam/linux-pam

Affected ranges

Type
GIT
Repo
https://github.com/linux-pam/linux-pam
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.7.2"
        },
        {
            "fixed": "1.7.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ]
}

Affected versions

Other
Linux-PAM-0-73
Linux-PAM-0-74
Linux-PAM-0-75
Linux-PAM-0-76
Linux-PAM-0-77
Linux-PAM-0-78
Linux-PAM-0-78-Beta1
Linux-PAM-0-79
Linux-PAM-0-80
Linux-PAM-0_99_10_0
Linux-PAM-0_99_1_0
Linux-PAM-0_99_2_0
Linux-PAM-0_99_2_1
Linux-PAM-0_99_3_0
Linux-PAM-0_99_4_0
Linux-PAM-0_99_5_0
Linux-PAM-0_99_6_0
Linux-PAM-0_99_6_1
Linux-PAM-0_99_6_2
Linux-PAM-0_99_6_3
Linux-PAM-0_99_7_0
Linux-PAM-0_99_7_1
Linux-PAM-0_99_8_0
Linux-PAM-0_99_8_1
Linux-PAM-0_99_9_0
Linux-PAM-1_0_0
Linux-PAM-1_0_90
Linux-PAM-1_0_91
Linux-PAM-1_0_92
Linux-PAM-1_1-branch
Linux-PAM-1_1_0
Linux-PAM-1_1_1
Linux-PAM-1_1_2
Linux-PAM-1_1_3
Linux-PAM-1_1_4
Linux-PAM-1_1_5
Linux-PAM-1_1_7
Linux-PAM-1_1_8
Linux-PAM-1_2_0
Linux-PAM-1_2_1
before_automake
help
pam_unix_refactor
Linux-PAM-1.*
Linux-PAM-1.3.0
v1.*
v1.1.4
v1.1.6
v1.3.1
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.1
v1.7.0
v1.7.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54411.json"