Vulnerability in pam_usb Hardware Authentication for Linux by McDope
CVE-2026-48064

8.1HIGH

Key Information:

Vendor: Mcdope
Status: Pam Usb
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-48064?

The pam_usb module for Linux allows for hardware authentication using removable USB devices. A critical flaw exists in versions prior to 0.9.1, where the PAM_RHOST check is bypassed when the configuration option deny_remote is set to false. This misconfiguration, typically applied to enhance local session handling in display managers like gdm-password or lightdm, allows remote connections via daemons (such as SSH or XDMCP) to erroneously progress to USB device authentication without proper rejection. Consequently, this leaves systems vulnerable to unauthorized remote access if not upgraded to version 0.9.1 or later.

Affected Version(s)

pam_usb < 0.9.1

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/mcdope/pam_usb/issues/348

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48064 Data

JSON

Mcdope

What is CVE-2026-48064?

Affected Version(s)

References

CVSS V3.1

Timeline