Skip to main content

pam_usb EUVDEUVD-2026-37936

| CVE-2026-48983 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-18 GitHub_M
5.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.8 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
5.8 MEDIUM

Local-only TOCTOU race (AV:L, AC:H); low-privilege account sufficient (PR:L); OTP pad exposure yields high confidentiality impact with limited integrity and availability disruption.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Jun 18, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 20:05 vuln.today
Analysis Generated
Jun 18, 2026 - 20:05 vuln.today
CVE Published
Jun 18, 2026 - 19:07 cve.org
MEDIUM 5.8

DescriptionCVE.org

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, a symlink race condition exists in per-device and per-user pad directory creation. pam_usb uses a check-then-act pattern: it calls lstat() to test for existence and then calls mkdir() separately to create the directory. A local attacker can win the race between these calls by replacing the target path with a symlink to a directory they control. If successful, one-time pad files may be written to an attacker-controlled location, potentially exposing future pad values before use or disrupting authentication. This issue has been fixed in version 0.9.2.

AnalysisAI

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-controlled directory, potentially exposing future OTP values before use and undermining hardware-based PAM authentication on Linux. The flaw is a classic TOCTOU pattern in per-device and per-user pad directory creation, fixed as part of a 12-issue security hardening release (0.9.2) triggered by an ongoing audit. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege local shell
Delivery
Identify or predict OTP pad directory path
Exploit
Place symlink at target path pointing to attacker-owned directory
Execution
Race pam_usb lstat()-to-mkdir() window during authentication event
Persist
Pad files written to attacker-controlled location
Impact
Read pre-written OTP values to predict or replay future authentication tokens

Vulnerability AssessmentAI

Exploitation Exploitation requires a local account with code execution capability on a Linux system running pam_usb prior to 0.9.2 with one-time pad (OTP) authentication actively configured and in use - systems that deploy pam_usb without OTP pads are not affected via this path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.8 (Medium) with vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L is well-calibrated to the real-world threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with a low-privilege shell identifies the expected filesystem path for a per-device or per-user OTP pad directory and places a symlink at that path pointing to a directory they own, before or during a pam_usb authentication event. If the symlink is in place when pam_usb calls lstat() (seeing the path as existing) and then calls mkdir() (which follows the symlink rather than creating a real directory), subsequent OTP pad files are written into the attacker's directory. …
Remediation Upgrade pam_usb to version 0.9.2, confirmed available at https://github.com/mcdope/pam_usb/releases/tag/0.9.2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48064 HIGH
8.1 May 27

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authenti

CVE-2026-47272 HIGH
7.1 May 27

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by delet

CVE-2026-48065 MEDIUM
6.7 May 27

Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32

CVE-2026-48981 MEDIUM
6.7 Jun 18

XXE injection in pam_usb prior to 0.9.2 enables an attacker with write access to the root-owned configuration file to tr

CVE-2026-47273 MEDIUM
6.5 May 27

XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification quer

CVE-2026-47274 MEDIUM
6.3 May 27

PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate

CVE-2026-48980 MEDIUM
6.3 Jun 18

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware US

CVE-2026-48982 MEDIUM
5.8 Jun 18

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local

CVE-2026-48066 MEDIUM
5.7 May 27

Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, w

CVE-2026-48985 MEDIUM
5.5 Jun 18

NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when lo

CVE-2026-48986 MEDIUM
4.7 Jun 18

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo,

CVE-2026-48984 MEDIUM
4.7 Jun 18

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP)

Share

EUVD-2026-37936 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy