Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to n_devices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets (armv7l, i686 -- both listed in the project Makefile), the multiplication n_devices * sizeof(t_pusb_device) wraps around size_t, causing xmalloc() to receive a very small size. Because xmalloc() only calls abort() on NULL return, a small-but-non-NULL allocation is accepted, and subsequent array writes overflow the heap. This vulnerability is fixed in 0.9.1.
AnalysisAI
Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32-bit Linux platforms (armv7l, i686) by supplying a crafted configuration file with an excessive device count. The root cause is an unchecked integer multiplication in src/conf.c where n_devices * sizeof(t_pusb_device) wraps around size_t on 32-bit targets, causing xmalloc() to receive a drastically undersized allocation that is silently accepted, enabling out-of-bounds writes into heap memory. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, successful exploitation yields full confidentiality, integrity, and availability impact on the affected host.
Technical ContextAI
pam_usb is a Linux PAM module that authenticates users via removable USB media, reading its configuration from an XML file parsed using libxml2 XPath queries. The vulnerable code resides in src/conf.c, where the integer n_devices - derived from the XPath-evaluated count of device entries in the config - is multiplied by sizeof(t_pusb_device) to compute a heap allocation size. On 32-bit architectures (armv7l and i686, both explicitly listed in the project Makefile), the type size_t is 32 bits wide, meaning sufficiently large n_devices values cause the multiplication result to wrap around to a small integer. xmalloc() calls abort() only on NULL return; a small-but-valid pointer is returned and accepted without error. Subsequent array writes then overflow the undersized heap buffer. This is a classic CWE-122 (Heap-based Buffer Overflow) triggered by an integer overflow precondition (related to CWE-190), and is exclusively reproducible on 32-bit targets due to the size_t width constraint. The CPE cpe:2.3:a:mcdope:pam_usb:*:*:*:*:*:*:*:* indicates all releases prior to the fix are affected.
RemediationAI
Upgrade pam_usb to version 0.9.1, which is the vendor-confirmed patched release per the GitHub security advisory at https://github.com/mcdope/pam_usb/security/advisories/GHSA-24mw-m2vf-36vp. This fix is expected to introduce an upper-bound check on n_devices before the heap allocation multiplication in src/conf.c, preventing the integer wrap-around. For environments that cannot immediately upgrade, the most effective compensating control is to ensure the pam_usb configuration file (typically /etc/pam_usb.conf) is writable only by root (mode 0600 or 0640, owned by root:root), which prevents any non-root actor from supplying a malicious device count - trade-off is negligible since this is the expected secure default. Additionally, consider restricting pam_usb deployment exclusively to 64-bit architectures where the size_t overflow condition cannot be triggered, eliminating the vulnerability entirely without a code change. Disabling pam_usb on 32-bit hosts until patched is the most conservative option if the authentication mechanism is not operationally critical.
Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti
Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet
XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr
XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer
PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate
Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US
Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c
Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local
Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w
NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo
Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,
Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32649