PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48065 mcdope CVE debrief

A heap-based buffer overflow vulnerability exists in pam_usb prior to version 0.9.1, affecting hardware authentication on Linux systems using removable media. The flaw resides in src/conf.c, where heap memory allocation is calculated as n_devices multiplied by sizeof(t_pusb_device) without enforcing an upper bound on n_devices. On 32-bit architectures (armv7l, i686), this multiplication can wrap around size_t, causing xmalloc() to receive a very small size value. Since xmalloc() only aborts on NULL returns, a small but non-NULL allocation is accepted, and subsequent array writes overflow the heap. The vulnerability is exploitable locally with high privileges required, resulting in high impacts to confidentiality, integrity, and availability. The issue was fixed in pam_usb 0.9.1.

Vendor
mcdope
Product
pam_usb
CVSS
MEDIUM 6.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

System administrators managing Linux authentication infrastructure, security teams responsible for PAM module deployments, organizations using hardware token authentication with removable media, and developers maintaining legacy 32-bit Linux systems should prioritize this vulnerability. The local attack vector and high privilege requirement limit exposure, but the high impact potential and ease of exploitation on affected architectures warrant prompt patching.

Technical summary

The pam_usb library provides hardware authentication for Linux using ordinary removable media. A vulnerability in versions prior to 0.9.1 allows heap buffer overflow on 32-bit architectures due to unbounded multiplication in memory allocation calculations. The n_devices value, derived from libxml2 XPath evaluation of the configuration file, is multiplied by sizeof(t_pusb_device) without upper bound checking. On 32-bit systems (armv7l, i686), this multiplication can overflow size_t, resulting in a small allocation that subsequent array writes overflow. The xmalloc() wrapper only aborts on NULL returns, not on undersized allocations, allowing the overflow to proceed. This is a local vulnerability requiring high privileges to exploit, with high impact potential across confidentiality, integrity, and availability dimensions.

Defensive priority

medium

Recommended defensive actions

  • Upgrade pam_usb to version 0.9.1 or later to remediate the heap buffer overflow vulnerability
  • Audit systems running 32-bit Linux architectures (armv7l, i686) for pam_usb installations prior to 0.9.1
  • Review pam_usb configuration files for unusually large device counts that could trigger the integer overflow condition
  • Apply principle of least privilege to pam_usb configurations, limiting authentication to specific required devices
  • Monitor for anomalous authentication failures or crashes in pam_usb that could indicate exploitation attempts
  • Consider migrating critical authentication systems from 32-bit to 64-bit architectures where feasible to reduce exposure to integer overflow vulnerabilities

Evidence notes

The vulnerability description is derived from the official CVE record and NVD entry published 2026-05-27. The affected component is pam_usb's configuration parser in src/conf.c. The vulnerability class is heap buffer overflow (CWE-122) triggered by integer overflow (CWE-190). Affected architectures are explicitly 32-bit targets (armv7l, i686) as noted in the project Makefile. The fix version 0.9.1 is confirmed. CVSS 3.1 vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H yields a base score of 6.7 (Medium).

Official resources

2026-05-27