CVE-2026-48066
Race Condition in pam_usb Authentication Module
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mcdope | pam_usb | to 0.9.1 (exc) |
| mcdope | pam_usb | From 0.9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to data races during concurrent PAM invocations, potentially causing unexpected behavior or crashes in the authentication process. The CVSS score indicates a moderate impact with a high impact on availability, meaning it could disrupt authentication services but does not directly compromise confidentiality.
Can you explain this vulnerability to me?
The vulnerability exists in pam_usb versions prior to 0.9.1, specifically in the src/log.c file. It involves a process-wide static pointer that is overwritten on every PAM invocation with the address of a stack-local variable. This design violates the PAM re-entrancy requirement and causes a data race when multiple threads invoke the PAM stack concurrently.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade pam_usb to version 0.9.1 or later, where the issue has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-48066 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by checking for data races during concurrent PAM authentication invocations involving pam_usb versions 0.9.0 and earlier.
One suggested method is to build pam_usb with ThreadSanitizer enabled using the compiler flag -fsanitize=thread.
Then, run concurrent invocations of the pamusb-check command to trigger the race condition and observe if ThreadSanitizer reports any data races.
- Compile pam_usb with ThreadSanitizer: gcc -fsanitize=thread -o pamusb-check src/log.c other_sources.c
- Run multiple concurrent pamusb-check commands, for example: for i in {1..10}; do ./pamusb-check & done; wait
If data races are detected, ThreadSanitizer will output warnings indicating the presence of the vulnerability.