Skip to main content

pam_usb EUVDEUVD-2026-37935

| CVE-2026-48982 MEDIUM
Race Condition (CWE-362)
2026-06-18 GitHub_M
5.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.8 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
vuln.today AI
5.8 MEDIUM

Local-only race requiring a low-privilege account and precise timing drives AV:L, AC:H, PR:L; pad state corruption enabling replay justifies I:H with minor C and A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
Jun 18, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 20:04 vuln.today
Analysis Generated
Jun 18, 2026 - 20:04 vuln.today
CVE Published
Jun 18, 2026 - 19:01 cve.org
MEDIUM 5.8

DescriptionCVE.org

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, when updating a one-time pad file, a temporary file is created using open() without the O_EXCL flag. Without O_EXCL, the create operation is not atomic: two concurrent processes racing to update the same pad may both succeed in opening the file, with the second write silently overwriting the first. The one-time pad is the core replay-prevention mechanism of pam_usb. A successful race could result in the stored pad value diverging from what either process expected, potentially causing authentication failures or, in a precisely timed attack, creating a window for pad reuse. This issue has been fixed in version 0.9.2.

AnalysisAI

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local race condition (CWE-362), allowing a precisely timed concurrent write to corrupt or reuse the stored OTP pad state. Systems running pam_usb as a PAM module for SSH, sudo, or login are affected on all versions before 0.9.2; successful exploitation could silently degrade hardware authentication integrity, creating a window for USB token replay attacks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privilege shell
Delivery
Script concurrent PAM authentication sessions
Exploit
Race open() call on OTP pad temp file
Execution
Second write overwrites first pad update
Persist
Stored pad diverges to previously observed value
Impact
Present replayed USB token to authenticate

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) a local account on the target Linux system with at least low-privilege access (PR:L per the provided CVSS vector); (2) pam_usb actively configured as a PAM module for a service on that system (SSH, sudo, console login, etc.); (3) the attacker's ability to initiate two or more concurrent authentication or pad-update events simultaneously - for example, by scripting parallel login attempts - to open the race window; and (4) precise timing to win the race (AC:H), requiring repeated attempts and favorable OS scheduler behavior. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L yields a score of 5.8, which accurately reflects the threat model: local-only access (AV:L) and high attack complexity (AC:H) substantially constrain exploitability, but Integrity:High is justified because a successful race undermines the entire replay-prevention layer of the authentication system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with a low-privilege account on a Linux system using pam_usb scripts two simultaneous authentication attempts against the same PAM service, timing them to collide during the OTP pad temp file write. If the race is won, the second open() call overwrites the first process's pad update, leaving the on-disk value mismatched from both processes' expectations; in a precisely engineered case, the attacker arranges for the resulting stored pad to match a previously captured pad value, then presents the corresponding USB token to authenticate with a replayed credential. …
Remediation Upgrade pam_usb to version 0.9.2 immediately; this release adds O_EXCL to the pad temp file creation call (PR #380) to atomize the operation and eliminate the race window. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48064 HIGH
8.1 May 27

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti

CVE-2026-47272 HIGH
7.1 May 27

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet

CVE-2026-48065 MEDIUM
6.7 May 27

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32

CVE-2026-48981 MEDIUM
6.7 Jun 18

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr

CVE-2026-47273 MEDIUM
6.5 May 27

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer

CVE-2026-47274 MEDIUM
6.3 May 27

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate

CVE-2026-48980 MEDIUM
6.3 Jun 18

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US

CVE-2026-48983 MEDIUM
5.8 Jun 18

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-c

CVE-2026-48066 MEDIUM
5.7 May 27

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w

CVE-2026-48985 MEDIUM
5.5 Jun 18

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo

CVE-2026-48986 MEDIUM
4.7 Jun 18

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,

CVE-2026-48984 MEDIUM
4.7 Jun 18

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)

Share

EUVD-2026-37935 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy