{"id":"CVE-2026-47269","summary":"pam_usb: deny_remote feature incorrectly classifies IPv4-mapped IPv6 remote connections as local","details":"pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0,  pam_usb's deny_remote feature checks utmpx ut_addr_v6 to detect whether an authentication request originates from a remote session. The outer guard was if (utent-\u003eut_addr_v6[0] != 0), which only tests the first 32-bit word of the 128-bit address field. IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) store the IPv4 address in ut_addr_v6[3] with ut_addr_v6[0] == 0. On systems where the SSH daemon listens on :: (IPv6 wildcard) with AddressFamily any -- common on Ubuntu and Debian -- incoming IPv4 connections are recorded in utmpx as IPv4-mapped IPv6 addresses. The outer check evaluates to false, the remote-detection block is skipped entirely, and the session is treated as local. deny_remote=true does not block the authentication. An attacker with physical access to a registered USB device can authenticate over SSH on an affected system as if they were sitting at a local terminal, bypassing the deny_remote restriction. This vulnerability is fixed in 0.9.0.","aliases":["GHSA-jmmj-qhrq-w45g"],"modified":"2026-07-08T08:09:41.125108997Z","published":"2026-05-27T20:11:44.975Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47269.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-284"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47269.json"},{"type":"ADVISORY","url":"https://github.com/mcdope/pam_usb/security/advisories/GHSA-jmmj-qhrq-w45g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47269"},{"type":"FIX","url":"https://github.com/mcdope/pam_usb/commit/804fe24eae3d742d8be05fd015e36abc3c7d94e5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mcdope/pam_usb","events":[{"introduced":"0"},{"fixed":"804fe24eae3d742d8be05fd015e36abc3c7d94e5"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.9.0"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47269.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}