CVE-2026-48064
Deferred Deferred - Pending Action
Authentication Bypass in pam_usb via Remote XDMCP

Publication date: 2026-05-27

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, when a PAM service is configured with deny_remote=false in pam_usb (commonly done for display managers such as gdm-password or lightdm to bypass process/TTY heuristics for local sessions), the PAM_RHOST check in pusb_do_auth() is also skipped. PAM_RHOST is set by remote daemons (sshd, XDMCP servers) to identify the remote client address. Because the check is gated inside if (opts.deny_remote), a genuine remote XDMCP connection reaches the USB device authentication step instead of being rejected. This vulnerability is fixed in 0.9.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-02
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-48064
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mcdope pam_usb to 0.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking if the pam_usb module is installed and if it is a version prior to 0.9.1, as versions 0.9.0 and earlier are affected.

Additionally, you should verify if any PAM services, especially display managers like gdm-password, lightdm, or others such as xscreensaver, are configured with the option deny_remote=false. This configuration enables the vulnerability by skipping the PAM_RHOST check.

To detect vulnerable configurations, you can search PAM configuration files for pam_usb usage and the deny_remote setting. For example, use commands like:

  • grep -r pam_usb /etc/pam.d/
  • grep -r deny_remote /etc/pam.d/

To check the installed pam_usb version, you can use package management commands depending on your distribution, for example:

  • dpkg -l | grep pam_usb (on Debian/Ubuntu)
  • rpm -q pam_usb (on RedHat/CentOS/Fedora)

Network detection of exploitation attempts could involve monitoring for remote XDMCP connections or unusual USB authentication attempts over the network, but specific commands for this are not provided in the available resources.

Executive Summary

This vulnerability exists in pam_usb versions prior to 0.9.1, which provides hardware authentication for Linux using ordinary removable media. When a PAM service is configured with deny_remote=false (a common setting for display managers like gdm-password or lightdm), the PAM_RHOST check in the authentication function pusb_do_auth() is skipped. PAM_RHOST is normally used to identify the remote client address for remote connections such as sshd or XDMCP servers. Because the check is bypassed, a genuine remote XDMCP connection can reach the USB device authentication step instead of being rejected, potentially allowing unauthorized remote access.

Impact Analysis

This vulnerability can allow a remote attacker to bypass intended remote access restrictions and reach the USB device authentication step, potentially gaining unauthorized access to the system. Given the CVSS base score of 8.1 with high impact on confidentiality, integrity, and availability, exploitation could lead to significant security breaches including unauthorized remote login and control.

Mitigation Strategies

To mitigate this vulnerability, upgrade pam_usb to version 0.9.1 or later where the issue is fixed.

Additionally, review PAM service configurations that use pam_usb with the option deny_remote=false, especially for display managers like gdm-password or lightdm, and consider setting deny_remote=true to enforce the PAM_RHOST check until the upgrade is applied.

Compliance Impact

CVE-2026-48064 allows remote attackers to bypass remote authentication restrictions in pam_usb when configured with deny_remote=false, potentially enabling unauthorized access to systems via remote sessions such as XDMCP or VNC.

This unauthorized access risk can lead to breaches of confidentiality, integrity, and availability of sensitive data and systems, which are critical concerns under common standards and regulations like GDPR and HIPAA.

Organizations relying on pam_usb for authentication in environments subject to these regulations may face compliance challenges if this vulnerability is exploited, as it undermines proper authorization controls and could result in unauthorized data access or disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart