CVE-2026-47271
Deferred Deferred - Pending Action
NULL Pointer Dereference in pam_usb PAM Module

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, src/mem.c implemented out-of-memory guards for xmalloc(), xrealloc(), and xstrdup() using assert(data != NULL). The C standard specifies that all assert() expressions are compiled out when NDEBUG is defined at build time. NDEBUG is commonly defined in release and packaging builds (Debian, Fedora, Arch package flags all define it via -DNDEBUG in CFLAGS). With the guard removed, xmalloc/xrealloc/xstrdup silently return NULL on allocation failure. Every caller in the codebase dereferences the return value without a NULL check -- this is the intended design, as the guard was supposed to abort before the dereference. With the guard gone, any allocation failure causes a NULL pointer dereference, crashing the PAM module. A crash in a PAM module loaded by sudo or login causes authentication to fail for the duration of the crash, creating a local denial-of-service condition. An attacker who can induce memory pressure at authentication time can lock all users out of sudo and login. This vulnerability is fixed in 0.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-47271
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mcdope pam_usb 0.9.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in pam_usb, a Linux hardware authentication module that uses removable media. Before version 0.9.0, the code used assert() statements to guard against out-of-memory conditions in memory allocation functions like xmalloc(), xrealloc(), and xstrdup(). However, when the software is built with NDEBUG defined (common in release builds), these assert() checks are removed, causing the functions to return NULL silently on allocation failure.

Since the code does not check for NULL return values and directly dereferences them, any memory allocation failure leads to a NULL pointer dereference, crashing the PAM module. This crash causes authentication failures in services like sudo or login, resulting in a local denial-of-service condition.

An attacker who can create memory pressure during authentication can exploit this to lock users out of sudo and login. The issue is fixed in version 0.9.0.

Impact Analysis

This vulnerability can cause a local denial-of-service condition by crashing the PAM module responsible for authentication.

If exploited, an attacker able to induce memory pressure during authentication can cause authentication failures in sudo and login, effectively locking all users out of these critical services.

This means legitimate users may be unable to authenticate or gain elevated privileges, disrupting normal system operations.

Mitigation Strategies

To mitigate this vulnerability, upgrade pam_usb to version 0.9.0 or later, where the issue is fixed.

Until the upgrade can be applied, avoid inducing memory pressure during authentication to prevent triggering the denial-of-service condition.

Compliance Impact

The vulnerability causes a local denial-of-service condition by crashing the PAM module during authentication, which can lock users out of sudo and login. While this impacts system availability, there is no direct information indicating that it leads to unauthorized data access or disclosure.

Since the vulnerability primarily affects authentication availability and does not mention data breaches or privacy violations, its impact on compliance with standards like GDPR or HIPAA is indirect and limited to potential service disruption.

Detection Guidance

This vulnerability causes the pam_usb PAM module to crash during authentication when memory allocation fails, resulting in denial of service for sudo and login processes.

To detect this vulnerability on your system, you can check the version of pam_usb installed and verify if it is prior to version 0.9.0, as the issue is fixed in 0.9.0.

You can also monitor system logs for authentication failures or crashes related to pam_usb during sudo or login attempts.

Suggested commands include:

  • Check pam_usb version: `pam_usb --version` or check package version via your package manager, e.g., `dpkg -l | grep pam_usb` or `rpm -q pam_usb`.
  • Search system logs for pam_usb errors or crashes: `journalctl -xe | grep pam_usb` or `grep pam_usb /var/log/auth.log`.
  • Attempt authentication using sudo or login and observe if failures or crashes occur unexpectedly.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart