Description
pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data — including one-time pad bytes read from disk — without clearing, leaving the sensitive content in freed heap memory until it happens to be overwritten by a subsequent allocation. On a system where a use-after-free condition exists, or where a heap inspection primitive becomes available, this could allow recovery of pad values or other authentication material from freed memory regions. This is a defence-in-depth requirement consistent with prior hardening work in this codebase (GHSA-vx6f-rrqr-j87c applied explicit_bzero to some pad paths; this issue generalises the pattern to the central deallocation helper).
Published: 2026-06-18
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the xfree() helper in pam_usb, which frees heap memory without zeroing the contents. This oversight allows sensitive cryptographic data – such as one‑time pad bytes read from removable media – to remain in freed heap memory until overwritten. An attacker who can trigger a use‑after‑free condition or otherwise inspect heap contents can recover these values, potentially compromising authentication schemes that depend on the confidentiality of this data.

Affected Systems

The affected product is pam_usb from mcdope, specifically all releases 0.9.1 and below. Any system running those versions and using the USB‑based authentication mechanism is susceptible.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity. Because exploiting the flaw requires either a use‑after‑free scenario or access to heap inspection tools, the practical attack surface is limited to local or privileged users; the EPSS score is not reported and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the potential for sensitive data exposure warrants prompt mitigation.

Generated by OpenCVE AI on June 18, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pam_usb to version 0.9.2 or later, which implements explicit_bzero in the deallocation path.
  • If an upgrade cannot be performed immediately, disable pam_usb’s USB authentication feature on affected systems until the patch is applied.
  • Limit privileged access and prevent memory‑inspection tools on hosts that run older pam_usb releases to reduce the likelihood of use‑after‑free exploitation.

Generated by OpenCVE AI on June 18, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mcdope
Mcdope pam Usb
Vendors & Products Mcdope
Mcdope pam Usb

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data — including one-time pad bytes read from disk — without clearing, leaving the sensitive content in freed heap memory until it happens to be overwritten by a subsequent allocation. On a system where a use-after-free condition exists, or where a heap inspection primitive becomes available, this could allow recovery of pad values or other authentication material from freed memory regions. This is a defence-in-depth requirement consistent with prior hardening work in this codebase (GHSA-vx6f-rrqr-j87c applied explicit_bzero to some pad paths; this issue generalises the pattern to the central deallocation helper).
Title pam_usb: xfree() does not call explicit_bzero — sensitive cryptographic material may linger in freed heap
Weaknesses CWE-14
CWE-226
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T18:48:13.213Z

Reserved: 2026-05-26T23:26:07.975Z

Link: CVE-2026-48984

cve-icon Vulnrichment

Updated: 2026-06-18T18:47:58.432Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses
  • CWE-14

    Compiler Removal of Code to Clear Buffers

  • CWE-226

    Sensitive Information in Resource Not Removed Before Reuse