Vulnerability-Lookup

RHSA-2026:7553

Vulnerability from csaf_redhat - Published: 2026-04-10 22:04 - Updated: 2026-06-24 21:28

Summary

Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

Severity

Moderate

Notes

Topic: An update for Red Hat Hardened Images RPMs is now available.

Details: This update includes the following RPMs: pam: * pam-1.7.2-1.1.hum1 (aarch64, x86_64) * pam-devel-1.7.2-1.1.hum1 (aarch64, x86_64) * pam-doc-1.7.2-1.1.hum1 (noarch) * pam-libs-1.7.2-1.1.hum1 (aarch64, x86_64) * pam-1.7.2-1.1.hum1.src (src)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-54411

A flaw was found in Linux-PAM's `pam_userdb` module. This vulnerability, categorized as an Observable Timing Discrepancy (CWE-208), allows a local or network-adjacent attacker to recover plaintext passwords. By repeatedly attempting authentication and measuring response-timing differences during plaintext password comparison, an attacker can deduce the password. This flaw is exploitable when the `pam_userdb` module is configured to store and compare credentials in plaintext, which is not a default setting.

4.8 (Medium)


                        
                          CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:pam-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:pam-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:pam-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:pam-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

References

13 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:7553	self
https://images.redhat.com/	external
https://access.redhat.com/security/cve/CVE-2026-54411	external
https://access.redhat.com/security/updates/classi…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-54411	self
https://bugzilla.redhat.com/show_bug.cgi?id=2488766	external
https://www.cve.org/CVERecord?id=CVE-2026-54411	external
https://nvd.nist.gov/vuln/detail/CVE-2026-54411	external
https://cwe.mitre.org/data/definitions/208.html	external
https://github.com/linux-pam/linux-pam	external
https://github.com/linux-pam/linux-pam/blob/maste…	external
https://github.com/linux-pam/linux-pam/blob/maste…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:\n\npam:\n  * pam-1.7.2-1.1.hum1 (aarch64, x86_64)\n  * pam-devel-1.7.2-1.1.hum1 (aarch64, x86_64)\n  * pam-doc-1.7.2-1.1.hum1 (noarch)\n  * pam-libs-1.7.2-1.1.hum1 (aarch64, x86_64)\n  * pam-1.7.2-1.1.hum1.src (src)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:7553",
        "url": "https://access.redhat.com/errata/RHSA-2026:7553"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-54411",
        "url": "https://access.redhat.com/security/cve/CVE-2026-54411"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7553.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-06-24T21:28:59+00:00",
      "generator": {
        "date": "2026-06-24T21:28:59+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.0.0"
        }
      },
      "id": "RHSA-2026:7553",
      "initial_release_date": "2026-04-10T22:04:24+00:00",
      "revision_history": [
        {
          "date": "2026-04-10T22:04:24+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-24T21:05:18+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-24T21:28:59+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pam-main@aarch64",
                "product": {
                  "name": "pam-main@aarch64",
                  "product_id": "pam-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pam@1.7.2-1.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pam-main@src",
                "product": {
                  "name": "pam-main@src",
                  "product_id": "pam-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pam@1.7.2-1.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pam-main@x86_64",
                "product": {
                  "name": "pam-main@x86_64",
                  "product_id": "pam-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pam@1.7.2-1.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pam-main@noarch",
                "product": {
                  "name": "pam-main@noarch",
                  "product_id": "pam-main@noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pam-doc@1.7.2-1.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pam-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:pam-main@aarch64"
        },
        "product_reference": "pam-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pam-main@noarch as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:pam-main@noarch"
        },
        "product_reference": "pam-main@noarch",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pam-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:pam-main@src"
        },
        "product_reference": "pam-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pam-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:pam-main@x86_64"
        },
        "product_reference": "pam-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-54411",
      "discovery_date": "2026-06-14T18:00:55.002567+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2488766"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Linux-PAM\u0027s `pam_userdb` module. This vulnerability, categorized as an Observable Timing Discrepancy (CWE-208), allows a local or network-adjacent attacker to recover plaintext passwords. By repeatedly attempting authentication and measuring response-timing differences during plaintext password comparison, an attacker can deduce the password. This flaw is exploitable when the `pam_userdb` module is configured to store and compare credentials in plaintext, which is not a default setting.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "linux-pam: Plaintext password recovery via timing discrepancy in pam_userdb module",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This Moderate flaw in Linux-PAM\u0027s `pam_userdb` module allows a local or network-adjacent attacker to recover plaintext passwords through a timing discrepancy. This vulnerability requires the `pam_userdb` module to be explicitly configured to store and compare credentials in plaintext, which is not a default or recommended configuration in Red Hat Enterprise Linux environments. The impact is limited by the need for repeated authentication attempts and specific, non-default module configurations.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:pam-main@aarch64",
          "Red Hat Hardened Images:pam-main@noarch",
          "Red Hat Hardened Images:pam-main@src",
          "Red Hat Hardened Images:pam-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-54411"
        },
        {
          "category": "external",
          "summary": "RHBZ#2488766",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488766"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-54411",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-54411"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-54411",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54411"
        },
        {
          "category": "external",
          "summary": "https://cwe.mitre.org/data/definitions/208.html",
          "url": "https://cwe.mitre.org/data/definitions/208.html"
        },
        {
          "category": "external",
          "summary": "https://github.com/linux-pam/linux-pam",
          "url": "https://github.com/linux-pam/linux-pam"
        },
        {
          "category": "external",
          "summary": "https://github.com/linux-pam/linux-pam/blob/master/libpam/include/pam_inline.h",
          "url": "https://github.com/linux-pam/linux-pam/blob/master/libpam/include/pam_inline.h"
        },
        {
          "category": "external",
          "summary": "https://github.com/linux-pam/linux-pam/blob/master/modules/pam_userdb/pam_userdb.c#L327",
          "url": "https://github.com/linux-pam/linux-pam/blob/master/modules/pam_userdb/pam_userdb.c#L327"
        }
      ],
      "release_date": "2026-06-14T17:21:43.853000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-10T22:04:24+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:pam-main@aarch64",
            "Red Hat Hardened Images:pam-main@noarch",
            "Red Hat Hardened Images:pam-main@src",
            "Red Hat Hardened Images:pam-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7553"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, administrators should ensure that the `pam_userdb` module is not configured to store or compare credentials in plaintext. Verify that `pam_userdb` is either configured with a strong cryptographic hashing method or, if not required, is disabled. Avoid using `crypt=none` or omitting the `crypt=` argument when configuring `pam_userdb`. If changes are made to PAM configuration files, services relying on PAM may need to be restarted for the changes to take effect.",
          "product_ids": [
            "Red Hat Hardened Images:pam-main@aarch64",
            "Red Hat Hardened Images:pam-main@noarch",
            "Red Hat Hardened Images:pam-main@src",
            "Red Hat Hardened Images:pam-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:pam-main@aarch64",
            "Red Hat Hardened Images:pam-main@noarch",
            "Red Hat Hardened Images:pam-main@src",
            "Red Hat Hardened Images:pam-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "linux-pam: Plaintext password recovery via timing discrepancy in pam_userdb module"
    }
  ]
}

CVE-2026-54411 (GCVE-0-2026-54411)

Vulnerability from cvelistv5 – Published: 2026-06-14 17:21 – Updated: 2026-06-15 16:59

Summary

Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/AU:N/V:D

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-208 - Observable Timing Discrepancy

Assigner

TuranSec

References

4 references

URL	Tags
https://github.com/linux-pam/linux-pam	product
https://github.com/linux-pam/linux-pam/blob/maste…	product
https://github.com/linux-pam/linux-pam/blob/maste…	product
https://cwe.mitre.org/data/definitions/208.html	technical-description

Impacted products

1 product

Vendor	Product	Version
Linux-PAM	Linux-PAM	Affected: 0 , ≤ 1.7.2 (semver)

Credits

Xurshidbek Sobirjonov

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54411",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T16:59:25.401303Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T16:59:37.818Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/linux-pam/linux-pam",
          "defaultStatus": "unknown",
          "modules": [
            "pam_userdb"
          ],
          "product": "Linux-PAM",
          "programFiles": [
            "modules/pam_userdb/pam_userdb.c"
          ],
          "repo": "https://github.com/linux-pam/linux-pam",
          "vendor": "Linux-PAM",
          "versions": [
            {
              "lessThanOrEqual": "1.7.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Xurshidbek Sobirjonov"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLinux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module\u0027s plaintext-password comparison path in \u003ccode\u003emodules/pam_userdb/pam_userdb.c\u003c/code\u003e that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses \u003ccode\u003estrncmp()\u003c/code\u003e (or \u003ccode\u003estrncasecmp()\u003c/code\u003e when \u003ccode\u003ePAM_ICASE_ARG\u003c/code\u003e is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate\u0027s length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with \u003ccode\u003ecrypt=none\u003c/code\u003e, with an unrecognized crypt method, or without a \u003ccode\u003ecrypt=\u003c/code\u003e argument, causing the module to store and compare credentials in plaintext.\u003c/p\u003e"
            }
          ],
          "value": "Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module\u0027s plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate\u0027s length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker who can repeatedly drive authentication through a service that invokes pam_userdb with plaintext-password configuration and without an artificial failure delay can measure response-timing differences to learn the correct password length and recover the plaintext password byte by byte. Recovery requires many measurements per character and is sensitive to scheduling and network jitter; recovery of one user\u0027s secret does not by itself yield access to other accounts. Practical exploitation is gated by an administrative misconfiguration (pam_userdb storing passwords in plaintext, reached when the module is configured with crypt=none, with an unknown crypt method, or with no crypt= option) and by the absence of failure-delay or rate-limiting in the calling service."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/AU:N/V:D",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "An attacker repeatedly authenticates through a service that calls pam_userdb (plaintext mode) and measures the time the service takes to reject each candidate password to learn the password length and recover the password one byte at a time."
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208 Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:21:43.853Z",
        "orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
        "shortName": "TuranSec"
      },
      "references": [
        {
          "name": "Linux-PAM - upstream repository",
          "tags": [
            "product"
          ],
          "url": "https://github.com/linux-pam/linux-pam"
        },
        {
          "name": "Vulnerable plaintext-password comparison in pam_userdb.c (master)",
          "tags": [
            "product"
          ],
          "url": "https://github.com/linux-pam/linux-pam/blob/master/modules/pam_userdb/pam_userdb.c#L327"
        },
        {
          "name": "pam_consttime_streq helper available for the remediation",
          "tags": [
            "product"
          ],
          "url": "https://github.com/linux-pam/linux-pam/blob/master/libpam/include/pam_inline.h"
        },
        {
          "name": "CWE-208: Observable Timing Discrepancy",
          "tags": [
            "technical-description"
          ],
          "url": "https://cwe.mitre.org/data/definitions/208.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "x_assigner_notes": "The vulnerable comparison was verified by direct source inspection of modules/pam_userdb/pam_userdb.c at tag v1.7.2 and at master HEAD as of disclosure: lines 327-332 perform a length-equality early exit followed by strncmp() / strncasecmp(). Linux-PAM has previously addressed the same weakness class in a sibling module: NEWS for Release 1.7.0 records \"pam_unix: compare password hashes in constant time\", and Release 1.6.0 hardened pam_mkhomedir \"against timing attacks\". The pam_consttime_streq() helper used by those fixes lives in libpam/include/pam_inline.h, which pam_userdb.c already includes, so the remediation in pam_userdb is a drop-in replacement of the strncmp call. The v1.7.2 release notes do not list a pam_userdb hardening change. Exploitation is gated by (a) the administrator having configured pam_userdb with plaintext password storage (crypt=none, unknown crypt method, or no crypt= option), a discouraged but documented configuration; and (b) the calling service not applying an authentication-failure delay - both gates raise attack complexity and bound real-world impact, so CVSS is scored MEDIUM rather than HIGH consistent with prior CWE-208 timing-leak CVE scoring.",
      "x_author": "Xurshidbek Sobirjonov",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
    "assignerShortName": "TuranSec",
    "cveId": "CVE-2026-54411",
    "datePublished": "2026-06-14T17:21:43.853Z",
    "dateReserved": "2026-06-13T16:39:46.122Z",
    "dateUpdated": "2026-06-15T16:59:37.818Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:7553

CVE-2026-54411 (GCVE-0-2026-54411)

Tags

Sightings

Nomenclature