CVE-2026-44713
HighSummary
In versions prior to 0.8.7, pam_usb reads the user's $TMUX environment variable and interpolates its value without proper sanitization, allowing arbitrary shell syntax injection. This creates a risk of unauthorized command execution as root.
Risk Assessment
This vulnerability could lead to serious security breaches, allowing attackers to execute arbitrary commands in the context of root, jeopardizing system integrity.
Recommendation
It is recommended to upgrade to version 0.8.7 or later to mitigate this vulnerability and to review and restrict access to the $TMUX variable.
Original NVD description (English source)
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen(). Because the value is placed inside double-quotes without sanitisation, any value containing " terminates the quoted string and injects arbitrary shell syntax. popen() runs as root inside the PAM stack. This vulnerability is fixed in 0.8.7.

