Heap Memory Overflow in pam_usb on Linux Affects Multiple Architectures
CVE-2026-48065

6.7MEDIUM

Key Information:

Vendor

Mcdope

Status
Pam Usb
Vendor
CVE Published:
27 May 2026

What is CVE-2026-48065?

The pam_usb software, which facilitates hardware authentication for Linux using ordinary removable media, suffers from a heap memory overflow vulnerability. This flaw arises from improper memory allocation in the configuration file parsing process. Specifically, prior to version 0.9.1, the allocation of heap memory fails to enforce a maximum limit based on the number of devices evaluated from the configuration. On 32-bit systems like armv7l and i686, this can lead to integer overflow, resulting in a significantly reduced memory allocation size. Consequently, this allows for potential exploitation, where a small but valid memory allocation could lead to subsequent array writes that overflow the heap. This issue has been addressed in version 0.9.1, and users are advised to upgrade to maintain system security.

Affected Version(s)

pam_usb < 0.9.1

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/mcdope/pam_usb/issues/352
x_refsource_MISC
https://github.com/mcdope/pam_usb/issues/55
x_refsource_MISC

CVSS V3.1

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.