CVE-2026-48792 - Vulnerability Details

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/evdev.c silently ignores EACCES errors when opening /dev/input/event* nodes, causing pusb_has_virtual_input_device() to return 0 (no virtual devices found) even when every open() call failed due to insufficient permissions. The caller in src/local.c cannot distinguish a clean absence of virtual devices from a permission-denied scan, and acts on the false negative by continuing authentication without denying. This vulnerability is fixed in 0.9.1.

Published: 2026-05-27

Score: 4.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

pam_usb silently ignores EACCES errors while opening /dev/input/event* nodes. When these errors occur, pusb_has_virtual_input_device() incorrectly reports no virtual devices, causing the PAM module to treat the lack of devices as a clean state and continue authentication. Based on the description, it is inferred that the failure to detect the required handheld devices permits a non‑privileged user to bypass the hardware‑based authentication requirement. This flaw is consistent with CWE‑390 (Error Condition Not Handled) and CWE‑693 (Security Misconfiguration).

Affected Systems

The vulnerability affects the pam_usb software produced by the mcdope vendor. All versions released prior to 0.9.1 are affected; the security fix is included starting in version 0.9.1 and later. Packages containing older releases that are used in PAM configurations on Linux systems are at risk.

Risk and Exploitability

The CVSS base score of 4.4 indicates medium severity, and EPSS information is not available. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a local user who can trigger a PAM authentication transaction that employs pam_usb. Because the error handling flaw occurs only when pam_usb runs without root privileges, a malicious user can initiate authentication through services such as remote desktop or other session initiation tools, potentially establishing an unauthorized session if the device authentication is skipped. The lack of an explicit denial when permissions are denied means the flaw remains active whenever pam_usb is invoked for non‑root sessions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mcdope

pam_usb

affected

Version	Status	Constraints
`< 0.9.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade pam_usb to version 0.9.1 or later, which implements proper error handling for EACCES conditions.
If upgrading is not immediately possible, remove or comment out pam_usb in the PAM configuration files for services that run as non‑root or that do not require hardware authentication.
As a temporary measure, ensure that pam_usb runs only under root privileges or restrict access to /dev/input/event* devices to the root group, preventing non‑privileged users from opening them.

Generated by OpenCVE AI on May 27, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/mcdope/pam_usb/issues/351
https://github.com/mcdope/pam_usb/issues/55
https://github.com/mcdope/pam_usb/security/advisories/GHSA-pvrg-chgw-x42c

History

Wed, 27 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/evdev.c silently ignores EACCES errors when opening /dev/input/event* nodes, causing pusb_has_virtual_input_device() to return 0 (no virtual devices found) even when every open() call failed due to insufficient permissions. The caller in src/local.c cannot distinguish a clean absence of virtual devices from a permission-denied scan, and acts on the false negative by continuing authentication without denying. This vulnerability is fixed in 0.9.1.
Title		pam_usb: pusb_has_virtual_input_device() silently discards EACCES, disabling remote desktop detection under non-root execution
Weaknesses		CWE-390 CWE-693
References		https://github.com/mcdope/pam_usb/issues/351 https://github.com/mcdope/pam_usb/issues/55 https://github.com/mcdope/pam_usb/security/advisories/GHSA-pvrg-chgw-x42c
Metrics		cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T19:55:46.392Z

Updated: 2026-05-27T19:55:46.392Z

Reserved: 2026-05-22T20:18:20.366Z

Link: CVE-2026-48792

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-27T20:16:41.077

Modified: 2026-05-27T20:16:41.077

Link: CVE-2026-48792

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T22:15:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object