CVE-2026-54411
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk24th percentile — higher than 24% of all known CVEs
Summary
Linux-PAM through version 1.7.2 contains a vulnerability in the pam_userdb module that allows a local or network-adjacent attacker to recover plaintext passwords by measuring response timing differences during the authentication process. The issue arises from plaintext password comparisons that leak password length and individual prefix bytes.
Risk Assessment
This vulnerability poses a risk of exposing user passwords, potentially leading to unauthorized access to accounts and system resources. Attackers may exploit this flaw to perform brute-force attacks on passwords.
Recommendation
It is recommended that administrators configure pam_userdb with an appropriate password encryption method, avoiding the use of crypt=none and ensuring that passwords are stored in an encrypted form.
Original NVD description (English source)
Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.

