Skip to main content

pam_usb CVE-2026-48985

| EUVDEUVD-2026-37924 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-18 GitHub_M
5.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local attack vector and low-privilege prerequisite confirmed by description; no confidentiality or integrity impact; availability High because crash can block all service authentication.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Jun 18, 2026 - 19:01 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 18:04 vuln.today
Analysis Generated
Jun 18, 2026 - 18:04 vuln.today
CVE Published
Jun 18, 2026 - 17:30 cve.org
MEDIUM 5.5

DescriptionCVE.org

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, pusb_is_loginctl_local() can cause a NULL dereference crash when parsing loginctl output. The function calls popen() and reads the result; if the Remote field is only a newline, fgets() succeeds but strtok_r(buf, "\n", &saveptr) returns NULL. A subsequent strcmp(is_remote, "no") then dereferences NULL, causing undefined behavior (typically SIGSEGV) and crashing the PAM module. This can crash the authenticating process (e.g., sudo, login) and, depending on PAM stack configuration, deny access for all users of the affected service. This issue has been fixed in version 0.9.2.

AnalysisAI

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when loginctl returns an empty Remote field during session locality checks. The crash terminates the PAM module with SIGSEGV, and depending on PAM stack control flags (required vs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain low-privilege local account access
Delivery
Trigger authentication against pam_usb-protected service
Exploit
pusb_is_loginctl_local() calls loginctl via popen()
Install
loginctl returns empty Remote field (newline only)
C2
strtok_r() returns NULL, strcmp() dereferences it
Execute
SIGSEGV crashes PAM module
Impact
Authentication denied for all users of affected service

Vulnerability AssessmentAI

Exploitation pam_usb must be installed and active in the PAM stack for at least one service (e.g., /etc/pam.d/sudo or /etc/pam.d/login). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (score 5.5) accurately reflects the threat profile: this is a local, low-complexity denial of service requiring only low-privilege access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege local user initiates an authentication attempt through a pam_usb-protected service such as sudo. During the session locality check, loginctl happens to return a Remote field with only a newline - a condition that can arise in certain display manager or remote session configurations. …
Remediation Upgrade to pam_usb version 0.9.2, which fixes this NULL dereference (commit #393 in the release) alongside 11 other security findings including XXE, TOCTOU races, symlink attacks, and environment variable injection. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48064 HIGH
8.1 May 27

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti

CVE-2026-47272 HIGH
7.1 May 27

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet

CVE-2026-48065 MEDIUM
6.7 May 27

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32

CVE-2026-48981 MEDIUM
6.7 Jun 18

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr

CVE-2026-47273 MEDIUM
6.5 May 27

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer

CVE-2026-47274 MEDIUM
6.3 May 27

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate

CVE-2026-48980 MEDIUM
6.3 Jun 18

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US

CVE-2026-48983 MEDIUM
5.8 Jun 18

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c

CVE-2026-48982 MEDIUM
5.8 Jun 18

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local

CVE-2026-48066 MEDIUM
5.7 May 27

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w

CVE-2026-48986 MEDIUM
4.7 Jun 18

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,

CVE-2026-48984 MEDIUM
4.7 Jun 18

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)

Share

CVE-2026-48985 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy