PatchSiren cyber security CVE debrief
CVE-2026-48985 mcdope CVE debrief
The pam_usb library, used for hardware authentication on Linux systems, has a vulnerability in versions 0.9.1 and below. The pusb_is_loginctl_local() function can cause a NULL dereference crash when parsing loginctl output. This occurs when the Remote field is only a newline, causing fgets() to succeed but strtok_r(buf, ' ', &saveptr) to return NULL. A subsequent strcmp(is_remote, 'no') then dereferences NULL, leading to undefined behavior and typically a SIGSEGV crash. This can crash the authenticating process (e.g., sudo, login) and, depending on PAM stack configuration, deny access for all users of the affected service.
- Vendor
- mcdope
- Product
- pam_usb
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-18
- Original CVE updated
- 2026-06-22
- Advisory published
- 2026-06-18
- Advisory updated
- 2026-06-22
Who should care
System administrators and users of Linux systems utilizing pam_usb for hardware authentication should be aware of this vulnerability. Specifically, those using versions 0.9.1 or earlier of pam_usb are at risk and should consider upgrading to version 0.9.2 or later.
Technical summary
The vulnerability exists in the pusb_is_loginctl_local() function of pam_usb. When parsing loginctl output, if the Remote field consists solely of a newline character, fgets() will successfully read it, but strtok_r() will return NULL. The subsequent call to strcmp() with this NULL value causes a NULL pointer dereference, leading to a crash. This issue can be exploited locally and has the potential to deny service to users of affected PAM-enabled services.
Defensive priority
Medium priority should be given to patching this vulnerability, especially in environments where pam_usb is used for authentication. The CVSS score of 5.5 indicates a moderate severity, but the potential for denial of service makes it important to address.
Recommended defensive actions
- Upgrade to pam_usb version 0.9.2 or later
- Review PAM stack configurations to ensure they do not exacerbate the issue
- Monitor system logs for crashes related to pam_usb
- Consider implementing additional authentication layers as a compensating control
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The CVE record and NVD entry provide details on the vulnerability. The fix is available in version 0.9.2 of pam_usb. Limited information is available on potential exploits or attacks in the wild. Evidence from the CVE record and NVD entry suggests that the vulnerability can cause a NULL dereference crash when parsing loginctl output. To verify, defenders should review the official advisory and CVE record for affected scope, severity, and vendor guidance. They should also monitor system logs for crashes related to pam_usb and consider implementing additional authentication layers as a compensating control.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T18:16:19.660Z and has not been modified since then. The NVD entry is currently Deferred.