Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, src/mem.c implemented out-of-memory guards for xmalloc(), xrealloc(), and xstrdup() using assert(data != NULL). The C standard specifies that all assert() expressions are compiled out when NDEBUG is defined at build time. NDEBUG is commonly defined in release and packaging builds (Debian, Fedora, Arch package flags all define it via -DNDEBUG in CFLAGS). With the guard removed, xmalloc/xrealloc/xstrdup silently return NULL on allocation failure. Every caller in the codebase dereferences the return value without a NULL check -- this is the intended design, as the guard was supposed to abort before the dereference. With the guard gone, any allocation failure causes a NULL pointer dereference, crashing the PAM module. A crash in a PAM module loaded by sudo or login causes authentication to fail for the duration of the crash, creating a local denial-of-service condition. An attacker who can induce memory pressure at authentication time can lock all users out of sudo and login. This vulnerability is fixed in 0.9.0.
Published: 2026-05-27
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when pam_usb is compiled with the NDEBUG flag, which removes assert‑based out‑of‑memory checks from its memory allocation helpers. When an allocation fails, the helper functions return NULL and the caller dereferences the pointer without checking for null. This causes a crash of the PAM module, interrupting the authentication process performed by sudo or login and effectively denying users access to privileged actions for the duration of the crash.

Affected Systems

All releases of the mcdope pam_usb package prior to version 0.9.0 are affected, including the Debian, Fedora, and Arch package builds that compile the module with NDEBUG. The issue is present whenever the module is linked into the PAM stack used for sudo or system logins.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. While the vulnerability does not provide remote code execution, it enables a local denial‑of‑service by allowing an attacker who can impose memory pressure during an authentication attempt to crash the pam_usb module, thereby locking all users out of sudo and login. With no EPSS score available and the vulnerability not listed in CISA’s KEV catalog, the likelihood of widespread exploitation is uncertain but the impact on affected systems remains significant if the module is in use.

Generated by OpenCVE AI on May 27, 2026 at 22:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pam_usb to version 0.9.0 or later, where the out‑of‑memory guards and NULL checks are restored.
  • If you compile pam_usb yourself, rebuild without defining NDEBUG or replace the memory helpers with safe‑check implementations that avoid dereferencing NULL pointers.
  • If an upgrade is not immediately possible, remove the pam_usb entry from the relevant /etc/pam.d configuration files to prevent the module from loading during sudo or login operations.

Generated by OpenCVE AI on May 27, 2026 at 22:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, src/mem.c implemented out-of-memory guards for xmalloc(), xrealloc(), and xstrdup() using assert(data != NULL). The C standard specifies that all assert() expressions are compiled out when NDEBUG is defined at build time. NDEBUG is commonly defined in release and packaging builds (Debian, Fedora, Arch package flags all define it via -DNDEBUG in CFLAGS). With the guard removed, xmalloc/xrealloc/xstrdup silently return NULL on allocation failure. Every caller in the codebase dereferences the return value without a NULL check -- this is the intended design, as the guard was supposed to abort before the dereference. With the guard gone, any allocation failure causes a NULL pointer dereference, crashing the PAM module. A crash in a PAM module loaded by sudo or login causes authentication to fail for the duration of the crash, creating a local denial-of-service condition. An attacker who can induce memory pressure at authentication time can lock all users out of sudo and login. This vulnerability is fixed in 0.9.0.
Title pam_usb: OOM guards removed by -DNDEBUG cause NULL dereference and authentication process crash
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T20:08:02.552Z

Reserved: 2026-05-18T23:03:37.229Z

Link: CVE-2026-47271

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T20:16:39.580

Modified: 2026-05-27T20:16:39.580

Link: CVE-2026-47271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T22:15:25Z

Weaknesses