CVE-2026-48066 - Vulnerability Details

- pam_usb: Thread-unsafe static pointer in log.c causes data race under concurrent PAM authentication

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/log.c contains a process-wide static pointer that is written on every PAM invocation with the address of a stack-local variable. This violates the PAM re-entrancy requirement and creates a data race when the PAM stack is invoked concurrently from multiple threads. This vulnerability is fixed in 0.9.1.

Published: 2026-05-27

Score: 5.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in the pam_usb module's static pointer in src/log.c, which is overwritten on each PAM invocation with a stack‑local address. Because this pointer is shared process‑wide and the module is called concurrently by multiple threads, the requirement that PAM modules be re‑entrant is violated. The resulting data race can cause inconsistent writes to the pointer, potentially leading to authentication failures or, under rare circumstances, to an unauthorized access if the race is exploited to alter authentication logic.

Affected Systems

This issue affects the pam_usb implementation from the mcdope project. All releases prior to 0.9.1 contain the buggy static pointer. The fix is included in 0.9.1 and later.

Risk and Exploitability

The CVSS score of 5.7 rates the vulnerability as medium, reflecting the potential for authentication disruption but limited exploitability. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is concurrent authentication requests through a PAM stack, which would require either local or privileged access or the cooperation of another process that can trigger simultaneous calls. As the description does not specify that the race can reliably cause a denial of service or bypass, we treat it as medium risk until a proof of concept is demonstrated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mcdope

pam_usb

affected

Version	Status	Constraints
`< 0.9.1`	affected	—

No data.

Vendor Product Confidence Versions

Mcdope

Pam Usb

100%

Version	Status	Scheme	Platform
`[0,0.9.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade pam_usb to version 0.9.1 or later, which eliminates the static pointer race.
If upgrading cannot be performed immediately, configure the PAM stack so that authentication requests are processed sequentially, for example by disabling multithreading in the PAM environment or by ensuring that only one thread executes authentication at a time.
Review and audit any custom PAM modules for static pointers or shared mutable state, and enforce proper synchronization or avoid shared state to satisfy the PAM re‑entrancy requirement.

Generated by OpenCVE AI on May 27, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00116.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/mcdope/pam_usb/issues/350
https://github.com/mcdope/pam_usb/issues/55
https://github.com/mcdope/pam_usb/security/advisories/GHSA-qg76-57wq-mpv6

History

Fri, 29 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mcdope Mcdope pam Usb
Vendors & Products		Mcdope Mcdope pam Usb

Thu, 28 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/log.c contains a process-wide static pointer that is written on every PAM invocation with the address of a stack-local variable. This violates the PAM re-entrancy requirement and creates a data race when the PAM stack is invoked concurrently from multiple threads. This vulnerability is fixed in 0.9.1.
Title		pam_usb: Thread-unsafe static pointer in log.c causes data race under concurrent PAM authentication
Weaknesses		CWE-362 CWE-476
References		https://github.com/mcdope/pam_usb/issues/350 https://github.com/mcdope/pam_usb/issues/55 https://github.com/mcdope/pam_usb/security/advisories/GHSA-qg76-57wq-mpv6
Metrics		cvssV3_1 `{'score': 5.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}`

Subscriptions

Mcdope Pam Usb

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T19:57:42.557Z

Updated: 2026-05-28T12:54:38.194Z

Reserved: 2026-05-20T18:25:25.707Z

Link: CVE-2026-48066

Vulnrichment

Updated: 2026-05-28T12:54:28.854Z

NVD

Status : Deferred

Published: 2026-05-27T20:16:40.543

Modified: 2026-06-17T10:54:50.780

Link: CVE-2026-48066

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T15:50:13Z

Weaknesses

CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-476
NULL Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object