Linux-PAM CVE-2026-54411 Exposes Passwords via Timing Attack

A newly published CVE-2026-54411 details a vulnerability in Linux-PAM versions up to 1.7.2. The issue lies in the pam_userdb module's plaintext-password comparison, which has an observable timing discrepancy. This flaw allows local or network-adjacent attackers to recover plaintext passwords by measuring response timing differences during authentication attempts. The vulnerability occurs when pam_userdb is configured improperly, such as with 'crypt=none' or without a crypt method, leading to plaintext storage of credentials. The CVE was published on June 14, 2026, and poses a medium severity risk. Administrators are advised to review their configurations to mitigate this risk.

Key Points: • CVE-2026-54411 affects Linux-PAM versions up to 1.7.2. • The vulnerability allows attackers to exploit timing discrepancies to recover plaintext passwords. • Mitigation requires proper configuration of pam_userdb to avoid storing credentials in plaintext.