Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, src/mem.c implemented out-of-memory guards for xmalloc(), xrealloc(), and xstrdup() using assert(data != NULL). The C standard specifies that all assert() expressions are compiled out when NDEBUG is defined at build time. NDEBUG is commonly defined in release and packaging builds (Debian, Fedora, Arch package flags all define it via -DNDEBUG in CFLAGS). With the guard removed, xmalloc/xrealloc/xstrdup silently return NULL on allocation failure. Every caller in the codebase dereferences the return value without a NULL check -- this is the intended design, as the guard was supposed to abort before the dereference. With the guard gone, any allocation failure causes a NULL pointer dereference, crashing the PAM module. A crash in a PAM module loaded by sudo or login causes authentication to fail for the duration of the crash, creating a local denial-of-service condition. An attacker who can induce memory pressure at authentication time can lock all users out of sudo and login. This vulnerability is fixed in 0.9.0.
AnalysisAI
pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently stripped by standard distribution build flags, enabling a local denial-of-service against authentication subsystems. Any allocation failure in xmalloc(), xrealloc(), or xstrdup() returns NULL, which every caller then dereferences unconditionally - the intended abort-before-dereference guarantee exists only in debug builds, not in Debian, Fedora, or Arch Linux packages that define -DNDEBUG via CFLAGS. A local attacker who can induce memory pressure at authentication time causes the PAM module to crash, locking all users out of sudo and login for the duration of the crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
pam_usb (CPE: cpe:2.3:a:mcdope:pam_usb:*:*:*:*:*:*:*:*) is a Linux PAM module that provides hardware-based authentication via removable USB media. Its memory allocation wrappers in src/mem.c - xmalloc(), xrealloc(), and xstrdup() - used assert(data != NULL) as their sole out-of-memory guard. The C standard (ISO/IEC 9899) specifies that the entire assert() expression, including its side effects, is elided when the translation unit is compiled with NDEBUG defined. Distribution-level packaging for Debian, Fedora, and Arch Linux routinely inject -DNDEBUG into CFLAGS for release builds, silently removing these guards from the compiled binary. With the guard absent, any failed heap allocation propagates a NULL return value that is immediately dereferenced by callers - a textbook CWE-476 (NULL Pointer Dereference) condition. Because pam_usb runs within the PAM stack loaded by privileged binaries such as sudo and login, a module crash translates directly into authentication failure at the OS level.
RemediationAI
The primary fix is to upgrade to pam_usb 0.9.0, which replaces assert()-based OOM guards in src/mem.c with explicit NULL checks followed by unconditional abort() calls, ensuring the guard is present in all build configurations regardless of NDEBUG. The upstream fix commit is at https://github.com/mcdope/pam_usb/commit/d003e551b794a9e3774ff4720830fb7aadaa48bd. For systems that cannot upgrade immediately, an interim compensating control is to rebuild pam_usb from source omitting -DNDEBUG from CFLAGS, which restores the assert() behavior - but this requires managing custom packages outside the distribution's update path and may be overwritten on the next OS-level package update. A second partial mitigation is to ensure the system has sufficient free memory headroom during authentication windows by limiting concurrent memory-intensive workloads, though this is not a reliable or enforceable control. Distribution maintainers for Debian, Fedora, and Arch Linux should be notified to rebuild and ship updated packages from 0.9.0.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32654