CVE-2026-54411: Linux-PAM Timing Attack Exposes Passwords
🟠 High | Source: Microsoft Security Response Center A timing side-channel vulnerability in Linux-PAM (through version 1.7.2) allows an attacker to recover plaintext passwords by measuring subtle differences in authentication response times. The flaw exists in the pam_userdb module when configured to store credentials in plaintext — a non-default but valid configuration. By repeatedly probing an exposed authentication service, an attacker can deduce the password length and individual characters byte by byte. ...