PatchSiren cyber security CVE debrief
CVE-2026-48981 mcdope CVE debrief
CVE-2026-48981 is a vulnerability in pam_usb, a hardware authentication module for Linux. Versions prior to 0.9.2 are affected. The vulnerability allows libxml2 to process external entity references when loading the configuration file, potentially making outbound network connections or local file reads at XML parse time from the context of the authenticating process. The vulnerability requires the configuration file to contain crafted XML entity references. Direct exploitation requires prior write access to the config, but the defence-in-depth impact is significant given that pam_usb.so runs in setuid contexts. This issue has been fixed in version 0.9.2.
- Vendor
- mcdope
- Product
- pam_usb
- CVSS
- MEDIUM 6.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-18
- Original CVE updated
- 2026-06-22
- Advisory published
- 2026-06-18
- Advisory updated
- 2026-06-22
Who should care
Users of pam_usb versions prior to 0.9.2 should be aware of this vulnerability and take steps to mitigate it. This includes administrators of Linux systems that use pam_usb for hardware authentication, as well as developers who use pam_usb in their applications. The defence-in-depth impact is significant given that pam_usb.so runs in setuid contexts.
Technical summary
The pam_usb module calls xmlReadFile() with flags=0 when loading the configuration file, allowing libxml2 to process external entity references. This can lead to outbound network connections or local file reads at XML parse time from the context of the authenticating process. The vulnerability requires the configuration file to contain crafted XML entity references. The issue has been fixed in version 0.9.2. The pam_usb module runs in setuid contexts, such as sudo and su, which increases the defence-in-depth impact.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to pam_usb version 0.9.2 or later
- Review and restrict access to the pam_usb configuration file
- Monitor system logs for suspicious activity related to pam_usb
- Consider implementing additional security controls, such as SELinux or AppArmor, to restrict the actions of the pam_usb process
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-06-18T20:16:14.407Z and was last modified on 2026-06-22T17:56:35.757Z. The NVD entry is currently Deferred. There is limited evidence available about the vulnerability, and defenders should verify the affected scope and severity with the official advisory. The configuration file must contain crafted XML entity references for exploitation. The pam_usb module runs in setuid contexts, such as sudo and su, which increases the defence-in-depth impact.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T20:16:14.407Z and has not been modified since then. The NVD entry is currently Deferred.