Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/device.c passed the return values of udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without NULL checks. The GIO/UDisks API documentation states these accessors can return NULL for devices that do not expose the corresponding field. Passing NULL to strcmp() is undefined behaviour (typically a SIGSEGV). This vulnerability is fixed in 0.8.7.
AnalysisAI
NULL pointer dereference in pam_usb prior to 0.8.7 allows a physically present attacker to crash the PAM authentication stack by inserting a USB device whose serial, vendor, or model metadata fields are absent. The module in src/device.c passes return values from udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without NULL checks, despite the GIO/UDisks2 API explicitly documenting that these accessors can return NULL for devices not exposing those fields. The result is undefined behavior - typically a SIGSEGV - that terminates the authentication process. No public exploit has been identified at time of analysis and no active exploitation is confirmed.
Technical ContextAI
pam_usb is a Linux PAM (Pluggable Authentication Module) that uses ordinary removable USB media as hardware authentication tokens, relying on the GIO/UDisks2 stack to query device properties. The vulnerability resides in src/device.c, where three UDisks2 accessor functions - udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() - are called to retrieve device identity strings and then passed directly to strcmp() for comparison against expected values. The UDisks2 API contract explicitly permits these accessors to return NULL when a device does not expose the corresponding SCSI/ATA field, which is common with certain USB hubs, virtual media devices, and embedded storage controllers. Passing NULL to strcmp() violates the C standard (CWE-476: NULL Pointer Dereference), producing undefined behavior that on Linux systems manifests as a SIGSEGV, terminating the calling process. Because pam_usb operates within the PAM authentication framework, a crash in this module can disrupt the entire authentication chain for the session or service invoking it.
RemediationAI
Upgrade pam_usb to version 0.8.7, which introduces NULL checks before passing UDisks2 accessor return values to strcmp(), eliminating the undefined behavior. This is a vendor-released patch confirmed by the GitHub Security Advisory GHSA-j8cq-2gv6-gfwf at https://github.com/mcdope/pam_usb/security/advisories/GHSA-j8cq-2gv6-gfwf. For environments where immediate patching is not possible, administrators should restrict physical USB port access using hardware port blockers or BIOS/UEFI-level USB disable policies, though this will also prevent legitimate pam_usb-based authentication and may require fallback authentication methods to be configured. An alternative compensating control is to temporarily remove pam_usb from the active PAM stack (e.g., commenting out the relevant line in /etc/pam.d/ configuration files) and substituting a different second-factor or authentication method until the upgrade can be applied - note this disables hardware token authentication entirely during the interim period.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32660