Race Condition Vulnerability in pam_usb for Linux
CVE-2026-48982

5.8MEDIUM

Key Information:

Vendor: Mcdope
Status: Pam Usb
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-48982?

The pam_usb component provides hardware authentication for Linux via removable media. In versions earlier than 0.9.2, a race condition exists due to the use of open() without the O_EXCL flag while updating a one-time pad file. This flaw allows multiple processes to concurrently succeed in opening the same file, leading to potential overwriting of pad values. This can result in authentication failures and, if exploited effectively, could allow an attacker to reuse a one-time pad, undermining the security model of pam_usb. The issue has been resolved in version 0.9.2.

Affected Version(s)

pam_usb < 0.9.2

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/mcdope/pam_usb/releases/tag/0.9.2

x_refsource_MISC

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48982 Data

JSON

Mcdope

What is CVE-2026-48982?

Affected Version(s)

References

CVSS V3.1

Timeline