What Is CVE-2026-54411?
CVE-2026-54411 is a timing side-channel vulnerability in the pam_userdb module of Linux-PAM. The issue resides in pam_userdb.c, where the plaintext password comparison routine exhibits a measurable timing discrepancy. A local attacker can exploit this by measuring response times to systematically enumerate valid usernames from the user database backend.
The vulnerability carries a CVSS score of 5.9 (Medium), reflecting the local attack vector, low attack complexity, and the information disclosure impact of username enumeration.
Affected Versions
- Linux-PAM through version 1.7.2 (all releases up to and including 1.7.2)
- Any distribution shipping Linux-PAM ≤ 1.7.2 with pam_userdb compiled and configured for plaintext password backends
Is It Actively Exploited?
As of this writing, there are no public reports of active exploitation in the wild. However, the nature of username enumeration via timing analysis makes detection difficult, and the low barrier to exploitation warrants prompt remediation.
Fix
Upstream Linux-PAM is expected to address this in a forthcoming release. In the interim:
- Apply distribution-provided security patches as they become available
- Switch pam_userdb backends from plaintext to hashed password storage (e.g., crypt, SHA-512, bcrypt)
- Where hashed backends are not feasible, restrict local access to the user database and limit pam_userdb use to trusted environments
Recommendations
- Upgrade Linux-PAM to a patched version as soon as your distribution provides one
- Audit PAM configurations for pam_userdb usage and migrate plaintext backends to hashed alternatives
- Monitor vendor advisories for your Linux distribution
- Consider application-level rate limiting on authentication attempts to blunt timing-based enumeration
References
Disclaimer: Threat Modeling provides this vulnerability intelligence for informational purposes only. Always verify against official vendor advisories and test patches in your environment before deployment.
