CVE-2026-48984
Received Received - Intake
Memory Leak in pam_usb Authentication Tool

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: GitHub, Inc.

Description
pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data β€” including one-time pad bytes read from disk β€” without clearing, leaving the sensitive content in freed heap memory until it happens to be overwritten by a subsequent allocation. On a system where a use-after-free condition exists, or where a heap inspection primitive becomes available, this could allow recovery of pad values or other authentication material from freed memory regions. This is a defence-in-depth requirement consistent with prior hardening work in this codebase (GHSA-vx6f-rrqr-j87c applied explicit_bzero to some pad paths; this issue generalises the pattern to the central deallocation helper).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-48984
EUVD
EUVD-2026-37922
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mcdope pam_usb to 0.9.2 (exc)
mcdope pam_usb 0.9.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-226 The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
CWE-14 Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in pam_usb involves sensitive authentication material remaining in freed heap memory without being cleared, which could potentially be recovered by an attacker under certain conditions. This exposure of sensitive data could impact compliance with standards and regulations such as GDPR and HIPAA, which require protection of sensitive information and proper data handling to prevent unauthorized access or disclosure.

Specifically, the failure to clear sensitive data before memory release violates defence-in-depth principles and could be seen as insufficient protection of sensitive authentication data, potentially leading to non-compliance with data protection requirements that mandate secure handling and erasure of sensitive information.

Therefore, organizations using vulnerable versions of pam_usb might face increased risk of non-compliance with regulations that require strict confidentiality and data protection controls.

Executive Summary

The vulnerability in pam_usb versions 0.9.1 and below is due to the xfree() function releasing heap-allocated buffers containing sensitive data without first clearing the buffer contents. This means sensitive cryptographic material, such as one-time pad bytes read from disk, remains in freed memory until overwritten.

If a use-after-free condition exists or if an attacker can inspect heap memory, they could potentially recover these sensitive authentication materials from the freed memory regions.

The issue arises because the memory is freed without zeroing out the sensitive data first, which is a defense-in-depth requirement to prevent leakage of sensitive information.

Impact Analysis

This vulnerability can lead to the exposure of sensitive authentication data stored in memory, such as one-time pad bytes used for hardware authentication.

An attacker with the ability to exploit a use-after-free condition or perform heap memory inspection could recover these sensitive values, potentially compromising the authentication mechanism.

The impact is primarily on confidentiality, as unauthorized disclosure of authentication material could allow bypassing security controls.

Detection Guidance

This vulnerability involves sensitive data lingering in freed heap memory within the pam_usb software versions 0.9.1 and below. Detection would primarily involve verifying the version of pam_usb installed on your system.

You can check the installed version of pam_usb by running commands such as:

  • dpkg -l | grep pam_usb # On Debian-based systems
  • rpm -qa | grep pam_usb # On Red Hat-based systems
  • pam_usb --version # If the binary supports a version flag

Since the vulnerability is related to memory handling inside the pam_usb process, direct detection on the network or system via commands is not straightforward. Monitoring for use-after-free conditions or heap inspection primitives would require advanced debugging or forensic tools, which are beyond typical command-line detection.

Mitigation Strategies

The primary mitigation step is to upgrade pam_usb to version 0.9.2 or later, where this vulnerability has been fixed by securely zeroing sensitive memory before freeing it.

Additional recommended steps include:

  • Apply the latest security patches and updates for pam_usb.
  • Review and harden system security settings to prevent unauthorized heap inspection or use-after-free exploitation.
  • Monitor system logs and audit authentication attempts for unusual activity.

Upgrading to the fixed release also improves overall security by addressing other vulnerabilities such as file descriptor leakage, symlink attacks, race conditions, and more.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48984. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart