Skip to main content

pam_usb CVE-2026-48981

| EUVDEUVD-2026-37934 MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-06-18 GitHub_M
6.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.7 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
vuln.today AI
6.7 MEDIUM

Root write access to config mandates PR:H and AV:L; AC:H for multi-step prerequisite; S:C because pam_usb.so executes inside setuid sudo/su processes.

3.1 AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Jun 18, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 20:03 vuln.today
Analysis Generated
Jun 18, 2026 - 20:03 vuln.today
CVE Published
Jun 18, 2026 - 18:55 cve.org
MEDIUM 6.7

DescriptionCVE.org

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, pam_usb calls xmlReadFile() with flags=0 when loading the configuration file, allowing libxml2 to process external entity references (XXE), potentially making outbound network connections or local file reads at XML parse time from the context of the authenticating process. The vulnerability requires the configuration file to contain crafted XML entity references. Since pam_usb.conf is root-owned, direct exploitation requires prior write access to the config, but the defence-in-depth impact is significant given that pam_usb.so runs in setuid contexts (sudo, su). This issue has been fixed in version 0.9.2.

AnalysisAI

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to trigger unauthorized outbound network connections or local file reads during XML parsing, executing within privileged setuid contexts (sudo, su). The vulnerability stems from libxml2's xmlReadFile() being called with flags=0, leaving external entity processing enabled by default - a configuration-time oversight rather than a runtime input flaw. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain root write access to target system
Delivery
Inject XXE payload into /etc/pam_usb.conf
Exploit
Wait for authentication event via sudo or su
Execution
pam_usb.so loads and parses crafted XML
Persist
libxml2 resolves external entity reference
Impact
Exfiltrate local file contents or trigger outbound network beacon

Vulnerability AssessmentAI

Exploitation Exploitation requires prior write access to /etc/pam_usb.conf, which is root-owned; gaining this access is itself a high-privilege prerequisite (PR:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.7 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L) accurately reflects the constrained exploitation path: an attacker must already possess root-level write access to pam_usb.conf before the XXE becomes exploitable, which limits opportunistic exploitation significantly. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has achieved root-level access to a system (through a separate vulnerability or credential theft) modifies /etc/pam_usb.conf to embed an XML external entity declaration referencing a sensitive local file such as /etc/shadow or an attacker-controlled remote URL. The next time any user invokes sudo or su, pam_usb.so is loaded into the privileged process, xmlReadFile() parses the crafted config, and libxml2 resolves the external entity - either reading the target file into memory (potentially loggable via error output or side channels) or initiating an outbound DNS/HTTP request that exfiltrates data to the attacker. …
Remediation Upgrade to pam_usb 0.9.2, which resolves the XXE issue by passing explicit libxml2 parser flags to disable external entity expansion in xmlReadFile() (PR #385). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48064 HIGH
8.1 May 27

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti

CVE-2026-47272 HIGH
7.1 May 27

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet

CVE-2026-48065 MEDIUM
6.7 May 27

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32

CVE-2026-47273 MEDIUM
6.5 May 27

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer

CVE-2026-47274 MEDIUM
6.3 May 27

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate

CVE-2026-48980 MEDIUM
6.3 Jun 18

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US

CVE-2026-48983 MEDIUM
5.8 Jun 18

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c

CVE-2026-48982 MEDIUM
5.8 Jun 18

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local

CVE-2026-48066 MEDIUM
5.7 May 27

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w

CVE-2026-48985 MEDIUM
5.5 Jun 18

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo

CVE-2026-48986 MEDIUM
4.7 Jun 18

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,

CVE-2026-48984 MEDIUM
4.7 Jun 18

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)

Share

CVE-2026-48981 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy