pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, split…

CVE-2026-44713 affects pam_usb, a hardware authentication system for Linux using removable media. The vulnerability exists in versions prior to 0.8.7 where src/tmux.c improperly handles the $TMUX environment variable. The code splits the variable on commas and interpolates the socket-path component directly into a shell command via popen() without sanitization. Because the value is placed inside double-quotes without proper escaping, any input containing a double-quote character can terminate the quoted string and inject arbitrary shell commands. This is particularly dangerous as popen() executes with root privileges within the PAM authentication stack. The vulnerability has been patched in version 0.8.7.