Impact
A use‑after‑free bug in the SSSD PAM responder causes the process to crash when authenticating with a YubiKey. The mishandled memory pointer can be triggered by a local attacker manipulating smartcard or YubiKey contents, leading to a denial of service that interrupts authentication. The flaw also presents a theoretical privilege escalation path, although it is difficult to exploit fully.
Affected Systems
The vulnerability affects Red Hat Enterprise Linux versions 6, 7, 8, 9, 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. It impacts the sssd service running on these platforms.
Risk and Exploitability
The CVSS score of 6.4 indicates moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires local access and the ability to influence YubiKey or smartcard input, so remote exploitation is unlikely based on the available information. If exploited, the denial of service could interrupt authentication services and potentially allow privilege escalation under certain conditions.
OpenCVE Enrichment