{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54411", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "PUBLISHED", "assignerShortName": "TuranSec", "dateReserved": "2026-06-13T16:39:46.122Z", "datePublished": "2026-06-14T17:21:43.853Z", "dateUpdated": "2026-06-15T16:59:37.818Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-06-14T17:21:43.853Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "An attacker who can repeatedly drive authentication through a service that invokes pam_userdb with plaintext-password configuration and without an artificial failure delay can measure response-timing differences to learn the correct password length and recover the plaintext password byte by byte. Recovery requires many measurements per character and is sensitive to scheduling and network jitter; recovery of one user's secret does not by itself yield access to other accounts. Practical exploitation is gated by an administrative misconfiguration (pam_userdb storing passwords in plaintext, reached when the module is configured with crypt=none, with an unknown crypt method, or with no crypt= option) and by the absence of failure-delay or rate-limiting in the calling service."}]}], "affected": [{"vendor": "Linux-PAM", "product": "Linux-PAM", "collectionURL": "https://github.com/linux-pam/linux-pam", "repo": "https://github.com/linux-pam/linux-pam", "modules": ["pam_userdb"], "programFiles": ["modules/pam_userdb/pam_userdb.c"], "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.7.2", "versionType": "semver"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in <code>modules/pam_userdb/pam_userdb.c</code> that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses <code>strncmp()</code> (or <code>strncasecmp()</code> when <code>PAM_ICASE_ARG</code> is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with <code>crypt=none</code>, with an unrecognized crypt method, or without a <code>crypt=</code> argument, causing the module to store and compare credentials in plaintext.</p>"}]}], "references": [{"url": "https://github.com/linux-pam/linux-pam", "name": "Linux-PAM - upstream repository", "tags": ["product"]}, {"url": "https://github.com/linux-pam/linux-pam/blob/master/modules/pam_userdb/pam_userdb.c#L327", "name": "Vulnerable plaintext-password comparison in pam_userdb.c (master)", "tags": ["product"]}, {"url": "https://github.com/linux-pam/linux-pam/blob/master/libpam/include/pam_inline.h", "name": "pam_consttime_streq helper available for the remediation", "tags": ["product"]}, {"url": "https://cwe.mitre.org/data/definitions/208.html", "name": "CWE-208: Observable Timing Discrepancy", "tags": ["technical-description"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "An attacker repeatedly authenticates through a service that calls pam_userdb (plaintext mode) and measures the time the service takes to reject each candidate password to learn the password length and recover the password one byte at a time."}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NOT_DEFINED", "Automatable": "NO", "Recovery": "NOT_DEFINED", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/AU:N/V:D"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Xurshidbek Sobirjonov", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}, "x_author": "Xurshidbek Sobirjonov", "x_assigner_notes": "The vulnerable comparison was verified by direct source inspection of modules/pam_userdb/pam_userdb.c at tag v1.7.2 and at master HEAD as of disclosure: lines 327-332 perform a length-equality early exit followed by strncmp() / strncasecmp(). Linux-PAM has previously addressed the same weakness class in a sibling module: NEWS for Release 1.7.0 records \"pam_unix: compare password hashes in constant time\", and Release 1.6.0 hardened pam_mkhomedir \"against timing attacks\". The pam_consttime_streq() helper used by those fixes lives in libpam/include/pam_inline.h, which pam_userdb.c already includes, so the remediation in pam_userdb is a drop-in replacement of the strncmp call. The v1.7.2 release notes do not list a pam_userdb hardening change. Exploitation is gated by (a) the administrator having configured pam_userdb with plaintext password storage (crypt=none, unknown crypt method, or no crypt= option), a discouraged but documented configuration; and (b) the calling service not applying an authentication-failure delay - both gates raise attack complexity and bound real-world impact, so CVSS is scored MEDIUM rather than HIGH consistent with prior CWE-208 timing-leak CVE scoring."}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-15T16:59:25.401303Z", "id": "CVE-2026-54411", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T16:59:37.818Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Xurshidbek Sobirjonov"}], "impacts": [{"descriptions": [{"lang": "en", "value": "An attacker who can repeatedly drive authentication through a service that invokes pam_userdb with plaintext-password configuration and without an artificial failure delay can measure response-timing differences to learn the correct password length and recover the plaintext password byte by byte. Recovery requires many measurements per character and is sensitive to scheduling and network jitter; recovery of one user's secret does not by itself yield access to other accounts. Practical exploitation is gated by an administrative misconfiguration (pam_userdb storing passwords in plaintext, reached when the module is configured with crypt=none, with an unknown crypt method, or with no crypt= option) and by the absence of failure-delay or rate-limiting in the calling service."}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/AU:N/V:D", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "An attacker repeatedly authenticates through a service that calls pam_userdb (plaintext mode) and measures the time the service takes to reject each candidate password to learn the password length and recover the password one byte at a time."}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/linux-pam/linux-pam", "vendor": "Linux-PAM", "modules": ["pam_userdb"], "product": "Linux-PAM", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7.2"}], "programFiles": ["modules/pam_userdb/pam_userdb.c"], "collectionURL": "https://github.com/linux-pam/linux-pam", "defaultStatus": "unknown"}], "x_author": "Xurshidbek Sobirjonov", "references": [{"url": "https://github.com/linux-pam/linux-pam", "name": "Linux-PAM - upstream repository", "tags": ["product"]}, {"url": "https://github.com/linux-pam/linux-pam/blob/master/modules/pam_userdb/pam_userdb.c#L327", "name": "Vulnerable plaintext-password comparison in pam_userdb.c (master)", "tags": ["product"]}, {"url": "https://github.com/linux-pam/linux-pam/blob/master/libpam/include/pam_inline.h", "name": "pam_consttime_streq helper available for the remediation", "tags": ["product"]}, {"url": "https://cwe.mitre.org/data/definitions/208.html", "name": "CWE-208: Observable Timing Discrepancy", "tags": ["technical-description"]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.", "supportingMedia": [{"type": "text/html", "value": "<p>Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in <code>modules/pam_userdb/pam_userdb.c</code> that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses <code>strncmp()</code> (or <code>strncasecmp()</code> when <code>PAM_ICASE_ARG</code> is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with <code>crypt=none</code>, with an unrecognized crypt method, or without a <code>crypt=</code> argument, causing the module to store and compare credentials in plaintext.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-06-14T17:21:43.853Z"}, "x_assigner_notes": "The vulnerable comparison was verified by direct source inspection of modules/pam_userdb/pam_userdb.c at tag v1.7.2 and at master HEAD as of disclosure: lines 327-332 perform a length-equality early exit followed by strncmp() / strncasecmp(). Linux-PAM has previously addressed the same weakness class in a sibling module: NEWS for Release 1.7.0 records \"pam_unix: compare password hashes in constant time\", and Release 1.6.0 hardened pam_mkhomedir \"against timing attacks\". The pam_consttime_streq() helper used by those fixes lives in libpam/include/pam_inline.h, which pam_userdb.c already includes, so the remediation in pam_userdb is a drop-in replacement of the strncmp call. The v1.7.2 release notes do not list a pam_userdb hardening change. Exploitation is gated by (a) the administrator having configured pam_userdb with plaintext password storage (crypt=none, unknown crypt method, or no crypt= option), a discouraged but documented configuration; and (b) the calling service not applying an authentication-failure delay - both gates raise attack complexity and bound real-world impact, so CVSS is scored MEDIUM rather than HIGH consistent with prior CWE-208 timing-leak CVE scoring."}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-54411", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-15T16:59:25.401303Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-06-15T16:59:29.063Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-54411", "state": "PUBLISHED", "dateUpdated": "2026-06-14T17:21:43.853Z", "dateReserved": "2026-06-13T16:39:46.122Z", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "datePublished": "2026-06-14T17:21:43.853Z", "assignerShortName": "TuranSec"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext."}], "id": "CVE-2026-54411", "lastModified": "2026-06-16T15:36:43.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:D/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}, "published": "2026-06-14T18:17:20.587", "references": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://cwe.mitre.org/data/definitions/208.html"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://github.com/linux-pam/linux-pam"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://github.com/linux-pam/linux-pam/blob/master/libpam/include/pam_inline.h"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://github.com/linux-pam/linux-pam/blob/master/modules/pam_userdb/pam_userdb.c#L327"}], "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}

{"bugzilla": {"description": "linux-pam: From CVEorg collector", "id": "2488766", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488766"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "details": ["Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.", "A flaw was found in Linux-PAM's `pam_userdb` module. This vulnerability, categorized as an Observable Timing Discrepancy (CWE-208), allows a local or network-adjacent attacker to recover plaintext passwords. By repeatedly attempting authentication and measuring response-timing differences during plaintext password comparison, an attacker can deduce the password. This flaw is exploitable when the `pam_userdb` module is configured to store and compare credentials in plaintext, which is not a default setting."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, administrators should ensure that the `pam_userdb` module is not configured to store or compare credentials in plaintext. Verify that `pam_userdb` is either configured with a strong cryptographic hashing method or, if not required, is disabled. Avoid using `crypt=none` or omitting the `crypt=` argument when configuring `pam_userdb`. If changes are made to PAM configuration files, services relying on PAM may need to be restarted for the changes to take effect."}, "name": "CVE-2026-54411", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "pam", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pam", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pam", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Under investigation", "package_name": "pam", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-06-14T17:21:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-54411\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-54411\nhttps://cwe.mitre.org/data/definitions/208.html\nhttps://github.com/linux-pam/linux-pam\nhttps://github.com/linux-pam/linux-pam/blob/master/libpam/include/pam_inline.h\nhttps://github.com/linux-pam/linux-pam/blob/master/modules/pam_userdb/pam_userdb.c#L327"], "statement": "This Moderate flaw in Linux-PAM's `pam_userdb` module allows a local or network-adjacent attacker to recover plaintext passwords through a timing discrepancy. This vulnerability requires the `pam_userdb` module to be explicitly configured to store and compare credentials in plaintext, which is not a default or recommended configuration in Red Hat Enterprise Linux environments. The impact is limited by the need for repeated authentication attempts and specific, non-default module configurations.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.7.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux-PAM", "source": "cna", "vendor": "Linux-PAM"}, "product": "linux-pam", "vendor": "linux-pam"}], "created": "2026-06-14T18:30:12.975671+00:00", "title": "Timing Attack Enables Password Reconstruction in Linux-PAM pam_userdb", "updated": "2026-06-14T19:00:08.850881+00:00", "vendors": ["linux-pam", "linux-pam$PRODUCT$linux-pam"]}