Skip to main content

pam_usb CVE-2026-48066

| EUVDEUVD-2026-32648 MEDIUM
Race Condition (CWE-362)
2026-05-27 GitHub_M
5.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.7 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

3
Patch available
May 27, 2026 - 22:04 EUVD
Analysis Generated
May 27, 2026 - 21:28 vuln.today
CVE Published
May 27, 2026 - 19:57 nvd
MEDIUM 5.7

DescriptionGitHub Advisory

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/log.c contains a process-wide static pointer that is written on every PAM invocation with the address of a stack-local variable. This violates the PAM re-entrancy requirement and creates a data race when the PAM stack is invoked concurrently from multiple threads. This vulnerability is fixed in 0.9.1.

AnalysisAI

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, where each PAM call overwrites a shared static pointer with the address of a stack-local variable. When multiple threads invoke the PAM stack simultaneously - a normal condition in multi-threaded Linux services such as SSH daemons or display managers - one thread's logging pointer can reference another thread's already-deallocated stack frame, causing availability loss (crash/hang) or limited integrity corruption. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.

Technical ContextAI

pam_usb (CPE: cpe:2.3:a:mcdope:pam_usb:*:*:*:*:*:*:*:*) is a Linux PAM module that enforces hardware two-factor authentication using removable USB media. The PAM framework mandates that modules be re-entrant and thread-safe, as calling applications such as sshd or polkit may invoke the PAM stack concurrently from multiple threads. The root cause (CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization) is located in src/log.c, which holds a single process-wide static pointer. On every PAM invocation, this pointer is assigned the address of a variable residing on that invocation's call stack. Because the stack frame is destroyed when the function returns, any concurrent thread that dereferences the static pointer after the originating thread has returned is reading a dangling pointer into freed stack memory. The CVSS vector AV:L/AC:H reflects that exploitation requires local system access and precise timing to trigger the race window.

RemediationAI

Upgrade pam_usb to version 0.9.1, which resolves the static pointer misuse in src/log.c. This is the vendor-released patch per the GitHub Security Advisory GHSA-qg76-57wq-mpv6 at https://github.com/mcdope/pam_usb/security/advisories/GHSA-qg76-57wq-mpv6. If immediate upgrade is not possible, a compensating control is to restrict pam_usb to single-threaded authentication contexts only - for example, disabling concurrent session handling in sshd (setting MaxStartups 1) to eliminate the race window, though this introduces a denial-of-service risk by serializing all SSH authentication. Alternatively, removing pam_usb from the PAM stack of services that invoke PAM concurrently (e.g., commenting out the pam_usb line in /etc/pam.d/sshd) eliminates exposure at the cost of disabling hardware USB authentication for those services. Upgrade to 0.9.1 is the only complete fix.

CVE-2026-48064 HIGH
8.1 May 27

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti

CVE-2026-47272 HIGH
7.1 May 27

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet

CVE-2026-48065 MEDIUM
6.7 May 27

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32

CVE-2026-48981 MEDIUM
6.7 Jun 18

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr

CVE-2026-47273 MEDIUM
6.5 May 27

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer

CVE-2026-47274 MEDIUM
6.3 May 27

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate

CVE-2026-48980 MEDIUM
6.3 Jun 18

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US

CVE-2026-48983 MEDIUM
5.8 Jun 18

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c

CVE-2026-48982 MEDIUM
5.8 Jun 18

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local

CVE-2026-48985 MEDIUM
5.5 Jun 18

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo

CVE-2026-48986 MEDIUM
4.7 Jun 18

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,

CVE-2026-48984 MEDIUM
4.7 Jun 18

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)

Share

CVE-2026-48066 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy