CVE-2026-54411
Linux-PAM pam_userdb Plaintext Password Recovery Timing Vulnerability
Description
Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.
INFO
Published Date :
June 14, 2026, 6:17 p.m.
Last Modified :
June 14, 2026, 6:17 p.m.
Remotely Exploit :
Yes !
Source :
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
Affected Products
The following products are affected by CVE-2026-54411
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c | ||||
| CVSS 4.0 | MEDIUM | 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c | ||||
| CVSS 4.0 | MEDIUM | 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c |
Solution
- Configure pam_userdb with a strong crypt method.
- Avoid using crypt=none or unrecognized methods.
- Ensure correct configuration of pam_userdb.
- Update the module if possible.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-54411.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-54411 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-54411
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-54411 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-54411 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
New CVE Received by 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
Jun. 14, 2026
Action Type Old Value New Value Added Description Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext. Added CVSS V4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:D/RE:X/U:X Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Added CWE CWE-208 Added Reference https://cwe.mitre.org/data/definitions/208.html Added Reference https://github.com/linux-pam/linux-pam Added Reference https://github.com/linux-pam/linux-pam/blob/master/libpam/include/pam_inline.h Added Reference https://github.com/linux-pam/linux-pam/blob/master/modules/pam_userdb/pam_userdb.c#L327