CVE-2026-48985

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, pusb_is_loginctl_local() can cause a NULL dereference crash when parsing loginctl output. The function calls popen() and reads the result; if the Remote field is only a newline, fgets() succeeds but strtok_r(buf, "\n", &saveptr) returns NULL. A subsequent strcmp(is_remote, "no") then dereferences NULL, causing undefined behavior (typically SIGSEGV) and crashing the PAM module. This can crash the authenticating process (e.g., sudo, login) and, depending on PAM stack configuration, deny access for all users of the affected service. This issue has been fixed in version 0.9.2.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mcdope/pam_usb/releases/tag/0.9.2
https://github.com/mcdope/pam_usb/security/advisories/GHSA-7j6h-wfc2-mg5q

Configurations

No configuration.

History

18 Jun 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-18 18:16

Updated : 2026-06-22 17:56

NVD link : CVE-2026-48985

Mitre link : CVE-2026-48985

CVE.ORG link : CVE-2026-48985

JSON object : View

Products Affected

No product.

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2026-48985", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-48985", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-18T19:08:54.015120Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "mcdope", "product": "pam_usb", "versions": [{"status": "affected", "version": "< 0.9.2"}]}]}], "published": "2026-06-18T18:16:19.660", "references": [{"url": "https://github.com/mcdope/pam_usb/releases/tag/0.9.2", "source": "security-advisories@github.com"}, {"url": "https://github.com/mcdope/pam_usb/security/advisories/GHSA-7j6h-wfc2-mg5q", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, pusb_is_loginctl_local() can cause a NULL dereference crash when parsing loginctl output. The function calls popen() and reads the result; if the Remote field is only a newline, fgets() succeeds but strtok_r(buf, \"\\n\", &saveptr) returns NULL. A subsequent strcmp(is_remote, \"no\") then dereferences NULL, causing undefined behavior (typically SIGSEGV) and crashing the PAM module. This can crash the authenticating process (e.g., sudo, login) and, depending on PAM stack configuration, deny access for all users of the affected service. This issue has been fixed in version 0.9.2."}], "lastModified": "2026-06-22T17:56:35.757", "sourceIdentifier": "security-advisories@github.com"}