Data Race Vulnerability in pam_usb Hardware Authentication for Linux
CVE-2026-48066

5.7MEDIUM

Key Information:

Vendor

Mcdope

Status
Pam Usb
Vendor
CVE Published:
27 May 2026

What is CVE-2026-48066?

The pam_usb software, designed to provide hardware-based authentication for Linux systems using removable media, contains a vulnerability prior to version 0.9.1. This flaw arises from a process-wide static pointer in the src/log.c file that is modified during every PAM invocation, referencing a stack-local variable. When the PAM stack is accessed simultaneously by multiple threads, it leads to a data race condition that can compromise system integrity and security. This issue has been addressed and resolved in the 0.9.1 update.

Affected Version(s)

pam_usb < 0.9.1

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/mcdope/pam_usb/issues/350
x_refsource_MISC
https://github.com/mcdope/pam_usb/issues/55
x_refsource_MISC

CVSS V3.1

Score:
5.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.