CVE-2026-47271 mcdope CVE debrief

Who should care

Linux system administrators using pam_usb for hardware-based authentication; security teams managing PAM configurations; distribution maintainers packaging pam_usb

Technical summary

The pam_usb library provides hardware authentication for Linux using removable media. Versions prior to 0.9.0 implemented memory allocation failure guards in src/mem.c using assert(data != NULL) for xmalloc(), xrealloc(), and xstrdup(). The C standard specifies that assert() expressions are compiled out when NDEBUG is defined, which is standard practice in release builds across major Linux distributions (Debian, Fedora, Arch). When these guards are removed, allocation failures return NULL, which callers dereference without checking—causing NULL pointer dereferences and PAM module crashes. Since PAM modules are loaded by sudo, login, and other authentication services, a crash results in authentication failure for the duration of the crash, creating a local denial-of-service condition. An attacker who can induce memory pressure during authentication can trigger this condition to lock all users out of sudo and login. The fix in 0.9.0 replaces assert()-based guards with proper runtime checks that abort on allocation failure regardless of build configuration.

Defensive priority

medium

Recommended defensive actions

• Upgrade pam_usb to version 0.9.0 or later
• Verify distribution packages are built with the fix
• Monitor for PAM module crashes in authentication logs
• Consider memory pressure monitoring on critical authentication systems

Evidence notes

CVSS 5.1 (MEDIUM). CWE-476 (NULL Pointer Dereference). Fixed in commit d003e551b794a9e3774ff4720830fb7aadaa48bd.

Official resources