Hardware Authentication Vulnerability in pam_usb by mcdope
CVE-2026-48792

4.4MEDIUM

Key Information:

Vendor

Mcdope

Status
Pam Usb
Vendor
CVE Published:
27 May 2026

What is CVE-2026-48792?

The pam_usb hardware authentication module for Linux, prior to version 0.9.1, contains a significant flaw that fails to properly handle EACCES errors when accessing /dev/input/event* nodes. This oversight allows the module to inaccurately report the absence of virtual input devices, leading to potential security breaches during the authentication process. The lack of appropriate error handling results in continued authentication attempts despite insufficient permissions, ultimately compromising system integrity. Users are urged to upgrade to version 0.9.1 or later to mitigate this vulnerability.

Affected Version(s)

pam_usb < 0.9.1

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/mcdope/pam_usb/issues/351
x_refsource_MISC
https://github.com/mcdope/pam_usb/issues/55
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.