Authentication Bypass in SSSD via YubiKey Use-After-Free

Executive Summary

CVE-2026-12610 is a use-after-free vulnerability in the System Security Services Daemon (SSSD) PAM responder that occurs during authentication with a YubiKey or smartcard.

The issue arises because a memory pointer called sss_certmap_ctx, which is used for certificate mapping, is prematurely freed while an asynchronous child process (p11_child) is still running.

When the child process finishes, it attempts to use this freed pointer, which has been overwritten with certificate data, causing a crash.

This crash leads to a denial of service by breaking the authentication process. There is also a potential, but difficult to exploit, risk of privilege escalation if an attacker manipulates the smartcard or YubiKey contents to influence the freed memory.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the SSSD PAM responder to crash during authentication with a YubiKey or smartcard, resulting in a denial of service that disrupts user authentication.

As a result, legitimate users may be unable to authenticate, potentially blocking access to systems that rely on SSSD for authentication.

Additionally, there is a potential for privilege escalation if an attacker can manipulate the contents of the smartcard or YubiKey to exploit the use-after-free condition, although this is considered difficult to achieve.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability manifests as a crash in the SSSD PAM responder when authenticating with a YubiKey or smartcard, causing denial of service by breaking authentication.

Detection can focus on monitoring for crashes or abnormal termination of the sssd_pam process during authentication attempts involving YubiKey or PKCS#11 smartcards.

You can check system logs (e.g., /var/log/secure, /var/log/auth.log, or journalctl) for PAM or sssd related crash messages or errors occurring during smartcard or YubiKey authentication.

Suggested commands include:

• journalctl -u sssd -f # To follow real-time logs of the sssd service
• grep -i 'sssd_pam' /var/log/secure # To search for sssd PAM related errors
• grep -i 'pam' /var/log/auth.log # To find PAM authentication errors
• systemctl status sssd # To check the current status and recent failures of the sssd service

Additionally, reproducing authentication attempts with a YubiKey and observing if the PAM responder crashes can help confirm the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding or disabling YubiKey or smartcard authentication via SSSD PAM responder until a patch or fix is applied.

If possible, restrict local user access to prevent exploitation by local attackers manipulating smartcard or YubiKey contents.

Monitor for updates or patches from your vendor or the SSSD project that address the use-after-free issue by properly managing the lifecycle of the sss_certmap_ctx pointer.

Consider applying any available software updates or patches that fix the vulnerability by retaining the sss_certmap_ctx beyond the PAM request lifecycle or terminating child processes safely.

As a temporary workaround, you may disable smartcard or YubiKey authentication in PAM configuration to prevent triggering the vulnerable code path.

Useful 0 Not Useful 0