Skip to main content

pam_usb CVE-2026-48065

| EUVDEUVD-2026-32649 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-05-27 GitHub_M
6.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.7 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 27, 2026 - 22:04 EUVD
Analysis Generated
May 27, 2026 - 21:28 vuln.today
CVE Published
May 27, 2026 - 19:58 nvd
MEDIUM 6.7

DescriptionGitHub Advisory

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to n_devices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets (armv7l, i686 -- both listed in the project Makefile), the multiplication n_devices * sizeof(t_pusb_device) wraps around size_t, causing xmalloc() to receive a very small size. Because xmalloc() only calls abort() on NULL return, a small-but-non-NULL allocation is accepted, and subsequent array writes overflow the heap. This vulnerability is fixed in 0.9.1.

AnalysisAI

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32-bit Linux platforms (armv7l, i686) by supplying a crafted configuration file with an excessive device count. The root cause is an unchecked integer multiplication in src/conf.c where n_devices * sizeof(t_pusb_device) wraps around size_t on 32-bit targets, causing xmalloc() to receive a drastically undersized allocation that is silently accepted, enabling out-of-bounds writes into heap memory. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, successful exploitation yields full confidentiality, integrity, and availability impact on the affected host.

Technical ContextAI

pam_usb is a Linux PAM module that authenticates users via removable USB media, reading its configuration from an XML file parsed using libxml2 XPath queries. The vulnerable code resides in src/conf.c, where the integer n_devices - derived from the XPath-evaluated count of device entries in the config - is multiplied by sizeof(t_pusb_device) to compute a heap allocation size. On 32-bit architectures (armv7l and i686, both explicitly listed in the project Makefile), the type size_t is 32 bits wide, meaning sufficiently large n_devices values cause the multiplication result to wrap around to a small integer. xmalloc() calls abort() only on NULL return; a small-but-valid pointer is returned and accepted without error. Subsequent array writes then overflow the undersized heap buffer. This is a classic CWE-122 (Heap-based Buffer Overflow) triggered by an integer overflow precondition (related to CWE-190), and is exclusively reproducible on 32-bit targets due to the size_t width constraint. The CPE cpe:2.3:a:mcdope:pam_usb:*:*:*:*:*:*:*:* indicates all releases prior to the fix are affected.

RemediationAI

Upgrade pam_usb to version 0.9.1, which is the vendor-confirmed patched release per the GitHub security advisory at https://github.com/mcdope/pam_usb/security/advisories/GHSA-24mw-m2vf-36vp. This fix is expected to introduce an upper-bound check on n_devices before the heap allocation multiplication in src/conf.c, preventing the integer wrap-around. For environments that cannot immediately upgrade, the most effective compensating control is to ensure the pam_usb configuration file (typically /etc/pam_usb.conf) is writable only by root (mode 0600 or 0640, owned by root:root), which prevents any non-root actor from supplying a malicious device count - trade-off is negligible since this is the expected secure default. Additionally, consider restricting pam_usb deployment exclusively to 64-bit architectures where the size_t overflow condition cannot be triggered, eliminating the vulnerability entirely without a code change. Disabling pam_usb on 32-bit hosts until patched is the most conservative option if the authentication mechanism is not operationally critical.

CVE-2026-48064 HIGH
8.1 May 27

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti

CVE-2026-47272 HIGH
7.1 May 27

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet

CVE-2026-48981 MEDIUM
6.7 Jun 18

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr

CVE-2026-47273 MEDIUM
6.5 May 27

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer

CVE-2026-47274 MEDIUM
6.3 May 27

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate

CVE-2026-48980 MEDIUM
6.3 Jun 18

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US

CVE-2026-48983 MEDIUM
5.8 Jun 18

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c

CVE-2026-48982 MEDIUM
5.8 Jun 18

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local

CVE-2026-48066 MEDIUM
5.7 May 27

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w

CVE-2026-48985 MEDIUM
5.5 Jun 18

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo

CVE-2026-48986 MEDIUM
4.7 Jun 18

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,

CVE-2026-48984 MEDIUM
4.7 Jun 18

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)

Share

CVE-2026-48065 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy