PatchSiren cyber security CVE debrief
CVE-2026-44710 mcdope CVE debrief
A NULL pointer dereference vulnerability exists in pam_usb prior to version 0.8.7. The affected code in src/device.c passes return values from udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without validating whether these pointers are non-NULL. According to GIO/UDisks API documentation, these accessor functions may return NULL when devices do not expose the corresponding fields. Passing NULL to strcmp() invokes undefined behavior, which typically manifests as a segmentation fault (SIGSEGV) causing denial of service. This vulnerability requires physical access to the system (attacker must insert a removable media device lacking serial, vendor, or model fields) but can be triggered without authentication. The CVSS 3.1 vector AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H reflects this physical attack vector with high availability impact. The issue was remediated in pam_usb 0.8.7 by adding appropriate NULL checks before string comparison operations.
- Vendor
- mcdope
- Product
- pam_usb
- CVSS
- MEDIUM 4.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
Linux system administrators using pam_usb for hardware-based authentication; security teams responsible for physical access controls and authentication infrastructure; developers maintaining PAM modules or UDisks integrations
Technical summary
The pam_usb library provides hardware authentication for Linux systems using ordinary removable USB media. Versions prior to 0.8.7 contain a NULL pointer dereference vulnerability in src/device.c where return values from UDisks device property accessors (udisks_drive_get_serial, udisks_drive_get_vendor, udisks_drive_get_model) are passed directly to strcmp() without NULL validation. These GIO/UDisks API functions can legitimately return NULL for devices that do not expose the corresponding descriptor fields. The resulting undefined behavior typically causes process termination via SIGSEGV, creating a denial of service condition during authentication attempts. An attacker with physical access can trigger this crash by inserting a USB device with incomplete descriptor information. The vulnerability does not enable code execution or privilege escalation directly, but the resulting authentication service interruption may facilitate follow-on attacks. Remediation requires updating to pam_usb 0.8.7 which implements proper NULL checks before string comparisons.
Defensive priority
medium
Recommended defensive actions
- Upgrade pam_usb to version 0.8.7 or later to remediate the NULL pointer dereference vulnerability
- Audit Linux systems using pam_usb for hardware authentication and verify current package versions
- Monitor authentication logs for unexpected segmentation faults or service interruptions during USB device insertion
- Review custom PAM configurations that integrate pam_usb for additional input validation layers
- Consider implementing device whitelisting policies that restrict authentication to known-good USB devices with complete descriptor fields
Evidence notes
Vulnerability description confirms NULL pointer dereference in src/device.c affecting udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() return values passed to strcmp(). CVSS vector AV:P indicates physical access requirement. CWE-476 classification confirms NULL pointer dereference weakness type. Fix version 0.8.7 confirmed in description.
Official resources
-
CVE-2026-44710 CVE record
CVE.org
-
CVE-2026-44710 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27