Memory Release Flaw in pam_usb Affects Linux Authentication
CVE-2026-48984

4.7MEDIUM

Key Information:

Vendor: Mcdope
Status: Pam Usb
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-48984?

The pam_usb module for Linux contains a vulnerability that allows sensitive data to remain in memory after it is no longer needed. Specifically, the xfree() function fails to zero out the contents of freed memory buffers, potentially exposing critical data, such as one-time pad bytes, to malicious actors. This issue arises in versions 0.9.1 and earlier, where a system utilizing a use-after-free condition or capable of heap inspection could allow attackers to recover sensitive authentication materials. The vulnerability highlights a significant gap in memory management practices, necessitating remediation efforts to strengthen system security.

Affected Version(s)

pam_usb < 0.9.2

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/mcdope/pam_usb/releases/tag/0.9.2

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48984 Data

JSON

Mcdope

What is CVE-2026-48984?

Affected Version(s)

References

CVSS V3.1

Timeline