Skip to main content

pam_usb CVE-2026-47271

| EUVDEUVD-2026-32654 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 GitHub_M
5.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
May 27, 2026 - 22:04 EUVD
Source Code Evidence Fetched
May 27, 2026 - 21:29 vuln.today
Analysis Generated
May 27, 2026 - 21:29 vuln.today
CVE Published
May 27, 2026 - 20:08 nvd
MEDIUM 5.1

DescriptionGitHub Advisory

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, src/mem.c implemented out-of-memory guards for xmalloc(), xrealloc(), and xstrdup() using assert(data != NULL). The C standard specifies that all assert() expressions are compiled out when NDEBUG is defined at build time. NDEBUG is commonly defined in release and packaging builds (Debian, Fedora, Arch package flags all define it via -DNDEBUG in CFLAGS). With the guard removed, xmalloc/xrealloc/xstrdup silently return NULL on allocation failure. Every caller in the codebase dereferences the return value without a NULL check -- this is the intended design, as the guard was supposed to abort before the dereference. With the guard gone, any allocation failure causes a NULL pointer dereference, crashing the PAM module. A crash in a PAM module loaded by sudo or login causes authentication to fail for the duration of the crash, creating a local denial-of-service condition. An attacker who can induce memory pressure at authentication time can lock all users out of sudo and login. This vulnerability is fixed in 0.9.0.

AnalysisAI

pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently stripped by standard distribution build flags, enabling a local denial-of-service against authentication subsystems. Any allocation failure in xmalloc(), xrealloc(), or xstrdup() returns NULL, which every caller then dereferences unconditionally - the intended abort-before-dereference guarantee exists only in debug builds, not in Debian, Fedora, or Arch Linux packages that define -DNDEBUG via CFLAGS. A local attacker who can induce memory pressure at authentication time causes the PAM module to crash, locking all users out of sudo and login for the duration of the crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

pam_usb (CPE: cpe:2.3:a:mcdope:pam_usb:*:*:*:*:*:*:*:*) is a Linux PAM module that provides hardware-based authentication via removable USB media. Its memory allocation wrappers in src/mem.c - xmalloc(), xrealloc(), and xstrdup() - used assert(data != NULL) as their sole out-of-memory guard. The C standard (ISO/IEC 9899) specifies that the entire assert() expression, including its side effects, is elided when the translation unit is compiled with NDEBUG defined. Distribution-level packaging for Debian, Fedora, and Arch Linux routinely inject -DNDEBUG into CFLAGS for release builds, silently removing these guards from the compiled binary. With the guard absent, any failed heap allocation propagates a NULL return value that is immediately dereferenced by callers - a textbook CWE-476 (NULL Pointer Dereference) condition. Because pam_usb runs within the PAM stack loaded by privileged binaries such as sudo and login, a module crash translates directly into authentication failure at the OS level.

RemediationAI

The primary fix is to upgrade to pam_usb 0.9.0, which replaces assert()-based OOM guards in src/mem.c with explicit NULL checks followed by unconditional abort() calls, ensuring the guard is present in all build configurations regardless of NDEBUG. The upstream fix commit is at https://github.com/mcdope/pam_usb/commit/d003e551b794a9e3774ff4720830fb7aadaa48bd. For systems that cannot upgrade immediately, an interim compensating control is to rebuild pam_usb from source omitting -DNDEBUG from CFLAGS, which restores the assert() behavior - but this requires managing custom packages outside the distribution's update path and may be overwritten on the next OS-level package update. A second partial mitigation is to ensure the system has sufficient free memory headroom during authentication windows by limiting concurrent memory-intensive workloads, though this is not a reliable or enforceable control. Distribution maintainers for Debian, Fedora, and Arch Linux should be notified to rebuild and ship updated packages from 0.9.0.

Share

CVE-2026-47271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy