The vulnerability in pam_usb occurs when the module allocates memory for device structures without enforcing an upper bound on the number of devices parsed from an XML configuration. On 32‑bit systems, the multiplication of the device count by the size of the structure wraps around size_t, causing the allocator to receive a very small size. The allocation succeeds with a small non‑NULL buffer, and subsequent array writes overflow the heap. Because the module runs with elevated privileges during authentication, this overflow could allow an attacker to execute arbitrary code with root privileges, effectively yielding local privilege escalation (inferred from the described behavior).

The affected product is pam_usb provided by mcdope. Versions prior to 0.9.1 are vulnerable; the bug manifests only on 32‑bit targets (armv7l and i686). The issue is absent in 0.9.1 and later releases and on 64‑bit architectures.

The CVSS score of 6.7 indicates a moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower exploitation probability compared to higher‑profile bugs. The likely attack vector is local: an attacker with the ability to supply a specially crafted XML configuration or a physical USB device with a manipulated device count could trigger the overflow (inferred from the need to modify the configuration file or input credentials during authentication). Formal exploitation would require the attacker to have sufficient permission to modify the configuration file or inject credentials during the authentication process. While not an obvious remote vector, the elevated privileges of the module make the potential damage significant.