Description
pam_usb provides hardware authentication for Linux using removable media. In pam_usb 0.9.1 and earlier, usb_get_process_parent_id() can cause an infinite loop DoS because it does not initialize *ppid on failure. In pusb_local_login(), the same variable is reused as input and output in a process-tree while loop; if /proc/<pid>/stat cannot be read (for example, when an ancestor process exits during authentication), the PID is not updated and the loop does not terminate. This hangs the authenticating process (such as sudo, sshd, or login) until it is forcibly terminated. This issue has been fixed in version 0.9.2.
Published: 2026-06-18
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An infinite loop DoS exists in pam_usb 0.9.1 and earlier because the function that retrieves the parent process ID does not initialize its output parameter on failure, and the same variable is then re‑used as a loop counter in a process‑tree walk. If the authentication process cannot read /proc/<pid>/stat—such as when an ancestor process exits during the authentication attempt—the loop never terminates, causing the authenticating process (e.g., sudo, sshd, or login) to hang until it is forcibly stopped.

Affected Systems

The vulnerability affects the pam_usb plug‑in provided by the vendor mcdope for Linux systems. Versions 0.9.1 and earlier are impacted; the issue was fixed in release 0.9.2.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate impact, and the EPSS score is not available. Since the vulnerability is only listed as a denial of service, no active exploitation is documented and the vulnerability is not in the CISA KEV catalog. An attacker would need to trigger authentication and cause a parent process to exit in order to force the infinite loop; this condition suggests that a privileged or local actor could potentially execute the attack, but the likelihood is considered moderate, and only a denial of service is possible.

Generated by OpenCVE AI on June 18, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pam_usb to 0.9.2 or later
  • Ensure that parent processes remain alive during authentication, for example by managing process lifecycles with systemd or similar tools
  • Monitor authentication services for hangs and restart them if necessary

Generated by OpenCVE AI on June 18, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Mcdope
Mcdope pam Usb
Vendors & Products Mcdope
Mcdope pam Usb

Thu, 18 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description pam_usb provides hardware authentication for Linux using removable media. In pam_usb 0.9.1 and earlier, usb_get_process_parent_id() can cause an infinite loop DoS because it does not initialize *ppid on failure. In pusb_local_login(), the same variable is reused as input and output in a process-tree while loop; if /proc/<pid>/stat cannot be read (for example, when an ancestor process exits during authentication), the PID is not updated and the loop does not terminate. This hangs the authenticating process (such as sudo, sshd, or login) until it is forcibly terminated. This issue has been fixed in version 0.9.2.
Title pam_usb: Infinite loop DoS in process-tree walk when parent process exits during authentication
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T12:34:51.890Z

Reserved: 2026-05-26T23:26:07.975Z

Link: CVE-2026-48986

cve-icon Vulnrichment

Updated: 2026-06-22T12:34:47.871Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses
  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')