Description
pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, pusb_is_loginctl_local() can cause a NULL dereference crash when parsing loginctl output. The function calls popen() and reads the result; if the Remote field is only a newline, fgets() succeeds but strtok_r(buf, "\n", &saveptr) returns NULL. A subsequent strcmp(is_remote, "no") then dereferences NULL, causing undefined behavior (typically SIGSEGV) and crashing the PAM module. This can crash the authenticating process (e.g., sudo, login) and, depending on PAM stack configuration, deny access for all users of the affected service. This issue has been fixed in version 0.9.2.
Published: 2026-06-18
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pam_usb is a Linux PAM module that authenticates users using removable media. In versions 0.9.1 and earlier, the function pusb_is_loginctl_local can dereference a NULL pointer when loginctl output contains an empty Remote field. This results in a segmentation fault that terminates the PAM module, and depending on the PAM stack configuration, can deny authentication for all users of the affected service. The vulnerability is a classic NULL pointer dereference (CWE‑476) and can lead to a denial of service on the system.

Affected Systems

Vendors: mcdope provides the pam_usb package. Affected versions are 0.9.1 and all earlier releases. The vulnerability applies to Linux installations that use pam_usb for authentication, such as systems with PAM stacks configured to load the module for login, SSH, sudo, or other privileged services.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is local: an authenticated or unauthenticated user who initiates an authentication session using pam_usb can trigger the crash by providing removable media that causes loginctl to output an empty Remote field. A successful crash would suspend the authentication process, potentially denying service to all users of the affected PAM service. No privileged escalation is required; the impact is limited to denial of service.

Generated by OpenCVE AI on June 18, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pam_usb to version 0.9.2 or later, as the issue is fixed there.
  • Re‑enable any PAM services that rely on pam_usb after the upgrade to verify that authentication works normally.
  • If an upgrade is not immediately possible, comment out or temporarily remove pam_usb from the PAM configuration files for the affected services to prevent the crash from impacting users.

Generated by OpenCVE AI on June 18, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mcdope
Mcdope pam Usb
Vendors & Products Mcdope
Mcdope pam Usb

Thu, 18 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, pusb_is_loginctl_local() can cause a NULL dereference crash when parsing loginctl output. The function calls popen() and reads the result; if the Remote field is only a newline, fgets() succeeds but strtok_r(buf, "\n", &saveptr) returns NULL. A subsequent strcmp(is_remote, "no") then dereferences NULL, causing undefined behavior (typically SIGSEGV) and crashing the PAM module. This can crash the authenticating process (e.g., sudo, login) and, depending on PAM stack configuration, deny access for all users of the affected service. This issue has been fixed in version 0.9.2.
Title pam_usb: NULL Dereference Crash in pusb_is_loginctl_local when loginctl Returns Empty Remote Field
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T19:13:33.772Z

Reserved: 2026-05-26T23:26:07.975Z

Link: CVE-2026-48985

cve-icon Vulnrichment

Updated: 2026-06-18T19:13:27.303Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses