PatchSiren cyber security CVE debrief
CVE-2026-48064 mcdope CVE debrief
pam_usb 0.9.0 and earlier contains an authentication bypass vulnerability when deny_remote=false is configured. The PAM_RHOST check, which should reject remote connections (such as XDMCP sessions), is incorrectly gated behind the deny_remote option. When administrators set deny_remote=false to accommodate display managers like GDM or LightDM, the remote host validation is also disabled. This allows remote XDMCP connections to proceed to USB device authentication instead of being rejected, potentially enabling unauthorized remote access. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects network attack vector with high attack complexity due to the specific configuration requirement. The vulnerability is classified under CWE-863 (Incorrect Authorization). Version 0.9.1 remediates this issue.
- Vendor
- mcdope
- Product
- pam_usb
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
System administrators managing Linux workstations with pam_usb authentication, particularly those using display managers with XDMCP or remote desktop capabilities; security teams responsible for PAM configuration and remote access controls; organizations deploying hardware-based authentication for Linux endpoints
Technical summary
The pam_usb PAM module provides hardware-based authentication using removable USB media. In versions prior to 0.9.1, the pusb_do_auth() function contains a logic error where the PAM_RHOST validation (which detects remote connections by checking if the remote host environment variable is set) is only executed when opts.deny_remote is true. Administrators commonly set deny_remote=false for display manager PAM services to prevent false positives from TTY and process heuristics on local graphical sessions. However, this configuration also disables the remote host check, allowing remote XDMCP connections to reach the USB authentication stage. An attacker with network access to an XDMCP-enabled host using pam_usb with deny_remote=false could potentially authenticate without physical USB token possession. The fix in 0.9.1 separates the remote host validation from the deny_remote option, ensuring PAM_RHOST is always checked regardless of the deny_remote setting.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade pam_usb to version 0.9.1 or later
- Review PAM configuration files for deny_remote=false settings, particularly for display manager services (gdm-password, lightdm, etc.)
- If deny_remote=false is required for local session compatibility, verify that remote access vectors (XDMCP, remote desktop protocols) are disabled or restricted at the network level
- Audit authentication logs for unexpected remote authentication attempts via pam_usb-enabled services
- Consider implementing additional network-level access controls for XDMCP and similar remote display protocols
Evidence notes
Vulnerability description and remediation status confirmed via NVD entry and GitHub Security Advisory GHSA-w38v-cw9r-x9p6. CVSS 3.1 score of 8.1 (HIGH) assigned. CWE-863 classification provided by [email protected]. Fix version 0.9.1 explicitly stated in advisory.
Official resources
2026-05-27