What is the CVSS score of CVE-2026-48064?

CVE-2026-48064 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of pam_usb are affected by CVE-2026-48064?

pam_usb versions prior to 0.9.1 contain an authentication bypass that enables unauthorized remote access when administrators configure the remote-access setting to permit XDMCP sessions-a common…. A patch is available.

pam_usb CVE-2026-48064

EUVD-2026-32650 HIGH

Incorrect Authorization (CWE-863)

2026-05-27 GitHub_M

Authentication Bypass

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 27, 2026 - 22:04 EUVD

Analysis Generated

May 27, 2026 - 21:01 vuln.today

CVE Published

May 27, 2026 - 19:59 nvd

HIGH 8.1

DescriptionNVD

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, when a PAM service is configured with deny_remote=false in pam_usb (commonly done for display managers such as gdm-password or lightdm to bypass process/TTY heuristics for local sessions), the PAM_RHOST check in pusb_do_auth() is also skipped. PAM_RHOST is set by remote daemons (sshd, XDMCP servers) to identify the remote client address. Because the check is gated inside if (opts.deny_remote), a genuine remote XDMCP connection reaches the USB device authentication step instead of being rejected. This vulnerability is fixed in 0.9.1.

AnalysisAI

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authentication step over XDMCP when an administrator has set deny_remote=false - a common tweak for display managers like gdm-password or lightdm. Because the PAM_RHOST remote-client check is gated inside the same deny_remote conditional, disabling deny_remote inadvertently disables the safeguard that rejects remote connections, so a genuine remote XDMCP session is treated like a local one. …

RemediationAI

Within 24 hours: audit all systems running pam_usb to identify instances with deny_remote=false; immediately re-enable deny_remote=true or disable XDMCP if remote display access is not required. Within 7 days: complete remediation across all affected systems and implement network-level access controls restricting XDMCP to trusted networks only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-48064 vulnerability details – vuln.today

Back

pam_usb CVE-2026-48064

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code