PatchSiren cyber security CVE debrief
CVE-2026-48986 mcdope CVE debrief
CVE-2026-48986 is a medium-severity vulnerability in pam_usb 0.9.1 and earlier. The issue arises from usb_get_process_parent_id() not initializing *ppid on failure, causing an infinite loop DoS in pusb_local_login(). This affects processes like sudo, sshd, or login until forcibly terminated. The vulnerability is fixed in version 0.9.2. Users should review system logs for potential exploitation attempts and implement monitoring for unusual process behavior. The CVE record was published on 2026-06-18T18:16:19.807Z and last modified on 2026-06-22T17:56:35.757Z.
- Vendor
- mcdope
- Product
- pam_usb
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-18
- Original CVE updated
- 2026-06-22
- Advisory published
- 2026-06-18
- Advisory updated
- 2026-06-22
Who should care
Users of pam_usb 0.9.1 and earlier should update to version 0.9.2 to mitigate this vulnerability. System administrators and security teams responsible for Linux systems using pam_usb for hardware authentication are particularly affected.
Technical summary
The pam_usb library provides hardware authentication for Linux using removable media. In pam_usb 0.9.1 and earlier, the usb_get_process_parent_id() function can cause an infinite loop DoS because it does not initialize *ppid on failure. In pusb_local_login(), the same variable is reused as input and output in a process-tree while loop; if /proc/<pid>/stat cannot be read (for example, when an ancestor process exits during authentication), the PID is not updated and the loop does not terminate. This hangs the authenticating process (such as sudo, sshd, or login) until it is forcibly terminated. The issue has been fixed in version 0.9.2.
Defensive priority
Medium priority should be given to updating pam_usb to version 0.9.2, as the vulnerability can cause denial of service (DoS) attacks on affected systems.
Recommended defensive actions
- Update pam_usb to version 0.9.2 or later
- Review system logs for potential exploitation attempts
- Implement monitoring for unusual process behavior
- Consider applying compensating controls for authentication processes
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The CVE record was published on 2026-06-18T18:16:19.807Z and last modified on 2026-06-22T17:56:35.757Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 4.7 and is classified as CWE-835 (Loop with Unreachable Termination).
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T18:16:19.807Z and has not been modified since then. The NVD entry is currently Deferred.