NIXPKGS-2026-1922

GitHub issue published 8 hours ago

Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in …

Permalink CVE-2026-54411

6.9 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Automatable (AU): No (N)
Value Density (V): Diffuse (D)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Recovery (R): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 8 hours ago by @LeSuisse Activity log

Created suggestion 13 hours ago
@LeSuisse ignored
2 references
- CWE-208: Observable Timing Discrepancy
- Linux-PAM - upstream repository
8 hours ago
@LeSuisse accepted 8 hours ago
@LeSuisse published on GitHub 8 hours ago

Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in …

Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.

References

Ignored references (2)

CWE-208: Observable Timing Discrepancy technical-description
Linux-PAM - upstream repository product

Affected products

Linux-PAM

=<1.7.2

Matching in nixpkgs

pkgs.pam

Pluggable Authentication Modules, a flexible mechanism for authenticating user

nixos-unstable 1.7.1
- nixpkgs-unstable 1.7.1
- nixos-unstable-small 1.7.1
nixos-26.05 1.7.1
- nixos-26.05-small 1.7.1
- nixpkgs-26.05-darwin 1.7.1

pkgs.linux-pam