CVE-2026-48792 mcdope CVE debrief

Who should care

Linux system administrators using pam_usb for hardware-based authentication; security teams evaluating PAM module implementations; developers of authentication systems handling hardware device enumeration

Technical summary

The vulnerability exists in src/evdev.c where open() calls on /dev/input/event* nodes return -1 with errno=EACCES when the process lacks read permissions. The code silently continues the loop without propagating the error, accumulating zero successful opens. The function returns 0 (boolean false for 'no virtual devices'), which src/local.c interprets as successful completion rather than scan failure. This breaks the security invariant that virtual input device presence should be verifiable; when verification fails due to permissions, authentication should deny or fallback safely, not proceed. The fix in 0.9.1 presumably adds explicit error handling to distinguish permission failures from absence of devices.

Defensive priority

medium

Recommended defensive actions

• Upgrade pam_usb to version 0.9.1 or later to obtain the corrected error handling in src/evdev.c
• Review local PAM configuration to ensure pam_usb is properly integrated with fallback authentication mechanisms
• Audit system logs for authentication anomalies that may indicate bypass attempts
• Verify that /dev/input/event* device nodes have appropriate permissions for the authentication process
• Consider implementing additional monitoring for failed device access attempts in authentication paths

Evidence notes

NVD entry published 2026-05-27 with CVSS 4.4 (MEDIUM). GitHub Security Advisory GHSA-pvrg-chgw-x42c confirms fix in 0.9.1. Related issues #351 and #55 document the permission handling defect in evdev.c.

Official resources