PatchSiren cyber security CVE debrief
CVE-2026-48066 mcdope CVE debrief
A concurrency vulnerability in pam_usb prior to version 0.9.1 allows data race conditions when the PAM stack is invoked concurrently from multiple threads. The issue stems from a process-wide static pointer in src/log.c that is written on every PAM invocation with the address of a stack-local variable, violating PAM re-entrancy requirements. This can lead to integrity and availability impacts in multi-threaded authentication scenarios. The vulnerability was published on 2026-05-27 and is fixed in pam_usb 0.9.1.
- Vendor
- mcdope
- Product
- pam_usb
- CVSS
- MEDIUM 5.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
System administrators running Linux environments with pam_usb for hardware-based authentication, particularly those with multi-threaded applications or services that may invoke PAM concurrently. Security teams responsible for authentication infrastructure and developers maintaining PAM modules should also prioritize this patch.
Technical summary
The pam_usb library provides hardware authentication for Linux using removable media. Versions prior to 0.9.1 contain a critical thread-safety defect in src/log.c where a process-wide static pointer is assigned the address of a stack-local variable during each PAM invocation. This implementation violates the PAM re-entrancy requirement, which mandates that modules be safe for concurrent use across multiple threads. When the PAM stack is invoked concurrently, a data race occurs on this shared pointer, potentially causing null pointer dereferences (CWE-476) or use of stale stack memory. The vulnerability is classified as MEDIUM severity (CVSS 5.7) with high availability impact due to potential authentication service disruption. The attack requires local access but no privileges or user interaction, though high attack complexity limits exploitation probability. The fix in version 0.9.1 properly addresses the re-entrancy violation.
Defensive priority
medium
Recommended defensive actions
- Upgrade pam_usb to version 0.9.1 or later to remediate the data race vulnerability
- Review systems using pam_usb for concurrent authentication scenarios that may trigger the race condition
- Monitor authentication logs for anomalies that could indicate exploitation attempts
- Consider implementing additional access controls to limit concurrent PAM invocations where pam_usb is deployed until patching is complete
Evidence notes
The vulnerability description indicates a data race condition (CWE-362) and null pointer dereference (CWE-476) in pam_usb's logging implementation. The static pointer to stack-local variable creates a classic use-after-scope risk when concurrent PAM invocations occur. The CVSS 3.1 vector (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H) reflects local attack vector, high attack complexity, no privileges required, no user interaction, with low integrity impact and high availability impact.
Official resources
2026-05-27