Skip to main content

pam_usb CVE-2026-48984

| EUVDEUVD-2026-37922 MEDIUM
Compiler Removal of Code to Clear Buffers (CWE-14)
2026-06-18 GitHub_M
4.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.7 MEDIUM

Local access only; high complexity requires chaining with a use-after-free or heap inspection primitive; low privilege sufficient; confidentiality impact only via OTP pad recovery.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 18, 2026 - 19:01 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 18:01 vuln.today
Analysis Generated
Jun 18, 2026 - 18:01 vuln.today

DescriptionCVE.org

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data - including one-time pad bytes read from disk - without clearing, leaving the sensitive content in freed heap memory until it happens to be overwritten by a subsequent allocation. On a system where a use-after-free condition exists, or where a heap inspection primitive becomes available, this could allow recovery of pad values or other authentication material from freed memory regions. This is a defence-in-depth requirement consistent with prior hardening work in this codebase (GHSA-vx6f-rrqr-j87c applied explicit_bzero to some pad paths; this issue generalises the pattern to the central deallocation helper).

AnalysisAI

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP) bytes read from removable media - resident in freed heap memory because the xfree() helper calls free() without first zeroing the buffer. On any system where a secondary use-after-free condition or heap inspection primitive is present within the same pam_usb process, an attacker could recover pad values or other credential material from those freed regions, potentially undermining the hardware authentication guarantee pam_usb is designed to provide. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privilege access on pam_usb host
Delivery
Trigger or observe OTP authentication event
Exploit
xfree() deallocates pad buffer without zeroing
Execution
Exploit co-existing use-after-free or heap inspection primitive
Persist
Read residual OTP pad bytes from freed heap region
Impact
Recover authentication material

Vulnerability AssessmentAI

Exploitation Exploitation requires a local attacker with low-privilege access (consistent with CVSS PR:L) on the host running pam_usb. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.7 with vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N accurately characterizes this as a moderate-severity local issue with high exploitation complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with low-privilege access on a system running pam_usb waits for or triggers an authentication event, causing xfree() to deallocate a heap buffer containing OTP pad bytes without zeroing it. The attacker then exploits a separate use-after-free vulnerability in the pam_usb process - or uses a heap inspection primitive - to read the residual pad bytes from the freed region before they are overwritten, recovering material that can be used to forge or replay hardware authentication. …
Remediation Vendor-released patch: pam_usb 0.9.2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48064 HIGH
8.1 May 27

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti

CVE-2026-47272 HIGH
7.1 May 27

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet

CVE-2026-48065 MEDIUM
6.7 May 27

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32

CVE-2026-48981 MEDIUM
6.7 Jun 18

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr

CVE-2026-47273 MEDIUM
6.5 May 27

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer

CVE-2026-47274 MEDIUM
6.3 May 27

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate

CVE-2026-48980 MEDIUM
6.3 Jun 18

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US

CVE-2026-48983 MEDIUM
5.8 Jun 18

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c

CVE-2026-48982 MEDIUM
5.8 Jun 18

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local

CVE-2026-48066 MEDIUM
5.7 May 27

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w

CVE-2026-48985 MEDIUM
5.5 Jun 18

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo

CVE-2026-48986 MEDIUM
4.7 Jun 18

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,

Share

CVE-2026-48984 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy