These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-48982 is a MEDIUM-severity vulnerability affecting pam_usb, a Linux authentication module that uses removable media for hardware authentication. In pam_usb versions prior to 0.9.2, a race condition occurs when updating a one-time pad file. This condition arises because the update process creates a temporary file using open() without the O_EXCL flag, making the create operation non-atomic. Two con [truncated]
CVE-2026-48981 is a vulnerability in pam_usb, a hardware authentication module for Linux. Versions prior to 0.9.2 are affected. The vulnerability allows libxml2 to process external entity references when loading the configuration file, potentially making outbound network connections or local file reads at XML parse time from the context of the authenticating process. The vulnerability requires the configu [truncated]
The pam_usb authentication module for Linux, used for hardware authentication via removable media, contains a vulnerability (CVE-2026-48980) that allows environment variable injection. This issue arises from the getenv() function being influenced by environment variables XRDP_SESSION, DISPLAY, and TMUX. Specifically, in setuid binaries like sudo and su, getenv() can return attacker-controlled values if th [truncated]
CVE-2026-48986 is a medium-severity vulnerability in pam_usb 0.9.1 and earlier. The issue arises from usb_get_process_parent_id() not initializing *ppid on failure, causing an infinite loop DoS in pusb_local_login(). This affects processes like sudo, sshd, or login until forcibly terminated. The vulnerability is fixed in version 0.9.2. Users should review system logs for potential exploitation attempts an [truncated]
The pam_usb library, used for hardware authentication on Linux systems, has a vulnerability in versions 0.9.1 and below. The pusb_is_loginctl_local() function can cause a NULL dereference crash when parsing loginctl output. This occurs when the Remote field is only a newline, causing fgets() to succeed but strtok_r(buf, ' ', &saveptr) to return NULL. A subsequent strcmp(is_remote, 'no') then dereferences [truncated]
pam_usb prior to 0.9.0 contains a race condition in its deny_remote feature that can cause incorrect authentication decisions. The vulnerability stems from use of the non-reentrant strtok() function in three functions related to remote session detection. Display managers such as GDM run multiple concurrent authentication threads, and strtok()'s global state pointer creates a race condition where one threa [truncated]
pam_usb 0.9.0 fixes a logic flaw in the deny_remote feature that allowed IPv4 SSH connections to bypass remote-session detection on dual-stack (IPv6 wildcard) hosts. The vulnerability stems from an incomplete check of the ut_addr_v6 field: the code only tested ut_addr_v6[0] != 0, which fails for IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) where the IPv4 address is stored in ut_addr_v6[3]. On systems with [truncated]
A command injection vulnerability exists in pam_usb prior to version 0.8.7. The software, which provides hardware authentication for Linux using removable media, improperly handles the $TMUX environment variable in src/tmux.c. The code splits the variable on commas and interpolates the socket-path component into a shell command passed to popen() without adequate sanitization. Because the value is placed i [truncated]
pam_usb prior to 0.8.7 contains multiple command injection vulnerabilities enabling root remote code execution. The primary attack vector involves a crafted filesystem UUID containing shell metacharacters (e.g., $(id>/tmp/rce)) that is processed unsafely when pamusb-conf --reset-pads executes. USB device controllers permitting UUID modification allow payload injection during --add-device operations. A sec [truncated]
CVE-2026-44711 is a high-severity vulnerability in pam_usb, a Linux hardware authentication module that enables authentication using ordinary removable media. The flaw, present in versions prior to 0.8.7, involves symlink attacks targeting the pad directory and pad files. Successful exploitation can result in authentication bypass and root file corruption. The vulnerability was published on May 27, 2026, [truncated]
A NULL pointer dereference vulnerability exists in pam_usb prior to version 0.8.7. The affected code in src/device.c passes return values from udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without validating whether these pointers are non-NULL. According to GIO/UDisks API documentation, these accessor functions may return NULL when devices do not e [truncated]
pam_usb prior to version 0.8.7 contains a command injection vulnerability in its pinentry fallback mechanism. The `pamusb-pinentry` utility reads the `PINENTRY_FALLBACK_APP` environment variable and executes its contents directly without validation. Any process capable of setting environment variables before `pamusb-pinentry` invocation can inject arbitrary commands, which execute with the privileges of t [truncated]
pam_usb 0.9.0 and earlier fails to propagate EACCES errors when scanning /dev/input/event* nodes in src/evdev.c. The function pusb_has_virtual_input_device() returns 0 (no virtual devices detected) when open() calls fail due to insufficient permissions, rather than signaling an error condition. The caller in src/local.c interprets this false negative as a clean scan result and continues authentication flo [truncated]
A concurrency vulnerability in pam_usb prior to version 0.9.1 allows data race conditions when the PAM stack is invoked concurrently from multiple threads. The issue stems from a process-wide static pointer in src/log.c that is written on every PAM invocation with the address of a stack-local variable, violating PAM re-entrancy requirements. This can lead to integrity and availability impacts in multi-thr [truncated]
A heap-based buffer overflow vulnerability exists in pam_usb prior to version 0.9.1, affecting hardware authentication on Linux systems using removable media. The flaw resides in src/conf.c, where heap memory allocation is calculated as n_devices multiplied by sizeof(t_pusb_device) without enforcing an upper bound on n_devices. On 32-bit architectures (armv7l, i686), this multiplication can wrap around si [truncated]
pam_usb 0.9.0 and earlier contains an authentication bypass vulnerability when deny_remote=false is configured. The PAM_RHOST check, which should reject remote connections (such as XDMCP sessions), is incorrectly gated behind the deny_remote option. When administrators set deny_remote=false to accommodate display managers like GDM or LightDM, the remote host validation is also disabled. This allows remote [truncated]
pam_usb prior to 0.9.0 resolves external binaries through PATH rather than absolute paths in multiple helper tools, allowing environment-influenced binary substitution during PAM authentication. The affected components are pamusb-check (src/tmux.c), pamusb-conf (tools/pamusb-conf), and pamusb-keyring-unlock-gnome (tools/pamusb-keyring-unlock-gnome). An attacker with ability to manipulate the process envir [truncated]
pam_usb prior to version 0.9.0 is vulnerable to XPath injection due to improper validation of user-supplied and device-supplied identifiers when constructing XPath expressions to query /etc/pamusb.conf. The vulnerability allows injection of arbitrary XPath predicates through identifiers including PAM usernames, service names, USB device serial numbers, models, and vendor strings. This could enable authent [truncated]
pam_usb 0.9.0 fixes an authentication bypass in the pusb_pad_compare() function. Prior to this version, the function verified that the user-side pad file (~/.pamusb/device.pad) was readable but did not enforce that the system-side pad on the USB device was present and readable. If a local user deleted their own ~/.pamusb/device.pad, the resulting failure was treated as non-fatal in certain code paths, all [truncated]
pam_usb 0.9.0 fixes a local denial-of-service vulnerability where out-of-memory guards in xmalloc(), xrealloc(), and xstrdup() were implemented using assert(), which is compiled out when NDEBUG is defined. In release builds (common in Debian, Fedora, and Arch packages), allocation failures cause NULL pointer dereferences, crashing the PAM module and blocking authentication via sudo or login. An attacker w [truncated]