CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Linux-PAM — security advisories

1 advisorieslatest 2026-06-09⚡ RSS feed

Tracked Linux-PAM products:

Linux-PAM

⚡ Watch Linux-PAM

Get an email when a new Linux-PAM advisory drops — max one per day, one-click unsubscribe.

CVE-2026-54411: Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equa

mediumCVSS 5.9CVE-2026-54411msrc2026-06-09