Skip to main content

pam_usb CVE-2026-48792

| EUVDEUVD-2026-32647 MEDIUM
Detection of Error Condition Without Action (CWE-390)
2026-05-27 GitHub_M
4.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
May 27, 2026 - 22:04 EUVD
Analysis Generated
May 27, 2026 - 21:27 vuln.today

DescriptionGitHub Advisory

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/evdev.c silently ignores EACCES errors when opening /dev/input/event* nodes, causing pusb_has_virtual_input_device() to return 0 (no virtual devices found) even when every open() call failed due to insufficient permissions. The caller in src/local.c cannot distinguish a clean absence of virtual devices from a permission-denied scan, and acts on the false negative by continuing authentication without denying. This vulnerability is fixed in 0.9.1.

AnalysisAI

Authentication bypass in pam_usb prior to 0.9.1 allows a local low-privileged user to circumvent hardware token requirements by exploiting silent EACCES error suppression in the virtual input device scanner. When the PAM module's evdev.c component fails to open /dev/input/event* nodes due to permission errors, it returns a false negative indicating no virtual devices are present, and the caller in local.c proceeds with authentication as if the hardware check passed cleanly. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

pam_usb is a Linux PAM (Pluggable Authentication Modules) module developed by mcdope that enforces hardware-based two-factor authentication using removable USB media. The vulnerability resides in src/evdev.c within the pusb_has_virtual_input_device() function, which iterates over /dev/input/event* character device nodes to detect virtual input devices (a common indicator of automated or spoofed login attempts). When open() calls on these nodes return EACCES, the error is caught but no corrective action is taken - matching CWE-390 (Detection of Error Condition Without Action). The function then returns 0, semantically equivalent to 'no virtual devices found,' even though the scan was entirely incomplete. The caller in src/local.c cannot distinguish this permission-failure state from a legitimate clean scan result, and therefore continues the authentication flow rather than failing securely. Affected CPE: cpe:2.3:a:mcdope:pam_usb:*:*:*:*:*:*:*:* (all versions prior to 0.9.1).

RemediationAI

Vendor-released patch: 0.9.1. Upgrade pam_usb to version 0.9.1 or later, which resolves the silent EACCES suppression in src/evdev.c so that permission errors during /dev/input/event* scanning cause authentication to fail securely rather than proceed with a false negative. The advisory is available at https://github.com/mcdope/pam_usb/security/advisories/GHSA-pvrg-chgw-x42c. If an immediate upgrade is not possible, a compensating control is to ensure that the user or process invoking pam_usb has appropriate read permissions on /dev/input/event* nodes, so that EACCES errors cannot occur and the false-negative condition is avoided - however, this trade-off may broaden device access beyond intended scope and should be evaluated against local security policy. Alternatively, temporarily removing pam_usb from the PAM stack and substituting another second-factor mechanism eliminates the bypass risk at the cost of losing USB hardware authentication until patched.

CVE-2026-48064 HIGH
8.1 May 27

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti

CVE-2026-47272 HIGH
7.1 May 27

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet

CVE-2026-48065 MEDIUM
6.7 May 27

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32

CVE-2026-48981 MEDIUM
6.7 Jun 18

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr

CVE-2026-47273 MEDIUM
6.5 May 27

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer

CVE-2026-47274 MEDIUM
6.3 May 27

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate

CVE-2026-48980 MEDIUM
6.3 Jun 18

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US

CVE-2026-48983 MEDIUM
5.8 Jun 18

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c

CVE-2026-48982 MEDIUM
5.8 Jun 18

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local

CVE-2026-48066 MEDIUM
5.7 May 27

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w

CVE-2026-48985 MEDIUM
5.5 Jun 18

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo

CVE-2026-48986 MEDIUM
4.7 Jun 18

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,

Share

CVE-2026-48792 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy