CVE-2026-48983 - Vulnerability Details

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, a symlink race condition exists in per-device and per-user pad directory creation. pam_usb uses a check-then-act pattern: it calls lstat() to test for existence and then calls mkdir() separately to create the directory. A local attacker can win the race between these calls by replacing the target path with a symlink to a directory they control. If successful, one-time pad files may be written to an attacker-controlled location, potentially exposing future pad values before use or disrupting authentication. This issue has been fixed in version 0.9.2.

Published: 2026-06-18

Score: 5.8 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

pam_usb is a hardware‑authenticator that uses removable media for one‑time pad files. In versions prior to 0.9.2 the code performs a separate existence check and creation of per‑device and per‑user pad directories, creating a TOCTOU race. A local attacker can exploit this by replacing the target path with a symlink to a directory they control. If the race is won, pad files are written to the attacker’s directory, potentially exposing sensitive pad values before they are used and allowing the attacker to disrupt or bypass authentication. This weakness is classified as CWE‑367 and primarily impacts confidentiality and integrity of the authentication system.

Affected Systems

The vulnerability affects the PamUsb package from the vendor mcdope. All installations of pam_usb versions earlier than 0.9.2 are susceptible. The fix is included in 0.9.2, so systems running that or newer release versions are not affected.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity. The EPSS score is not available, so the likelihood of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog. The attack requires local access with the ability to manipulate files in the pad directory path; it is not a remote exploit. Once the race is successfully won, the attacker can gain read access to pad files and possibly interfere with the authentication process, but does not necessarily achieve full system compromise unless additional privileges are obtained.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mcdope

pam_usb

affected

Version	Status	Constraints
`< 0.9.2`	affected	—

No data.

Vendor Product Confidence Versions

Mcdope

Pam Usb

100%

Version	Status	Scheme	Platform
`[0,0.9.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade pam_usb to version 0.9.2 or later, which removes the TOCTOU flaw.
If an upgrade cannot be applied immediately, remove or disable the pam_usb entry in the PAM configuration file to stop using the vulnerable component.
Ensure that the directory where pam_usb creates pads is owned by root and has strict permissions (e.g., 700) so that unprivileged users cannot create symlinks or write files there.

Generated by OpenCVE AI on June 18, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/mcdope/pam_usb/releases/tag/0.9.2
https://github.com/mcdope/pam_usb/security/advisories/GHSA-4j8q-67fq-3xc3

History

Thu, 18 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mcdope Mcdope pam Usb
Vendors & Products		Mcdope Mcdope pam Usb

Thu, 18 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, a symlink race condition exists in per-device and per-user pad directory creation. pam_usb uses a check-then-act pattern: it calls lstat() to test for existence and then calls mkdir() separately to create the directory. A local attacker can win the race between these calls by replacing the target path with a symlink to a directory they control. If successful, one-time pad files may be written to an attacker-controlled location, potentially exposing future pad values before use or disrupting authentication. This issue has been fixed in version 0.9.2.
Title		pam_usb: TOCTOU race condition in pad directory creation allows symlink substitution
Weaknesses		CWE-367
References		https://github.com/mcdope/pam_usb/releases/tag/0.9.2 https://github.com/mcdope/pam_usb/security/advisories/GHSA-4j8q-67fq-3xc3
Metrics		cvssV3_1 `{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L'}`

Subscriptions

Mcdope Pam Usb

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-18T19:07:56.198Z

Updated: 2026-06-18T19:07:56.198Z

Reserved: 2026-05-26T23:26:07.975Z

Link: CVE-2026-48983

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses

CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object