Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/log.c contains a process-wide static pointer that is written on every PAM invocation with the address of a stack-local variable. This violates the PAM re-entrancy requirement and creates a data race when the PAM stack is invoked concurrently from multiple threads. This vulnerability is fixed in 0.9.1.
Published: 2026-05-27
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the pam_usb module's static pointer in src/log.c, which is overwritten on each PAM invocation with a stack‑local address. Because this pointer is shared process‑wide and the module is called concurrently by multiple threads, the requirement that PAM modules be re‑entrant is violated. The resulting data race can cause inconsistent writes to the pointer, potentially leading to authentication failures or, under rare circumstances, to an unauthorized access if the race is exploited to alter authentication logic.

Affected Systems

This issue affects the pam_usb implementation from the mcdope project. All releases prior to 0.9.1 contain the buggy static pointer. The fix is included in 0.9.1 and later.

Risk and Exploitability

The CVSS score of 5.7 rates the vulnerability as medium, reflecting the potential for authentication disruption but limited exploitability. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is concurrent authentication requests through a PAM stack, which would require either local or privileged access or the cooperation of another process that can trigger simultaneous calls. As the description does not specify that the race can reliably cause a denial of service or bypass, we treat it as medium risk until a proof of concept is demonstrated.

Generated by OpenCVE AI on May 27, 2026 at 21:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pam_usb to version 0.9.1 or later, which eliminates the static pointer race.
  • If upgrading cannot be performed immediately, configure the PAM stack so that authentication requests are processed sequentially, for example by disabling multithreading in the PAM environment or by ensuring that only one thread executes authentication at a time.
  • Review and audit any custom PAM modules for static pointers or shared mutable state, and enforce proper synchronization or avoid shared state to satisfy the PAM re‑entrancy requirement.

Generated by OpenCVE AI on May 27, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/log.c contains a process-wide static pointer that is written on every PAM invocation with the address of a stack-local variable. This violates the PAM re-entrancy requirement and creates a data race when the PAM stack is invoked concurrently from multiple threads. This vulnerability is fixed in 0.9.1.
Title pam_usb: Thread-unsafe static pointer in log.c causes data race under concurrent PAM authentication
Weaknesses CWE-362
CWE-476
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T19:59:06.293Z

Reserved: 2026-05-20T18:25:25.707Z

Link: CVE-2026-48066

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T20:16:40.543

Modified: 2026-05-27T20:16:40.543

Link: CVE-2026-48066

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T22:00:17Z

Weaknesses