Symlink Race Condition in Linux Hardware Authentication Tool by McDope
CVE-2026-48983

5.8MEDIUM

Key Information:

Vendor: Mcdope
Status: Pam Usb
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-48983?

A symlink race condition in versions of pam_usb prior to 0.9.2 allows local attackers to exploit the authentication mechanism by replacing target paths with symlinks to directories they control. This flaw arises from a check-then-act programming pattern where the existence of a directory is checked and then created separately. Successful exploitation can lead to unauthorized access through compromised one-time pad files, impacting the integrity of the authentication process and potentially exposing sensitive pad values. The issue has been resolved in the 0.9.2 release.

Affected Version(s)

pam_usb < 0.9.2

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/mcdope/pam_usb/releases/tag/0.9.2

x_refsource_MISC

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48983 Data

JSON

Mcdope

What is CVE-2026-48983?

Affected Version(s)

References

CVSS V3.1

Timeline