NULL Dereference Vulnerability in pam_usb Authentication Software by Linux Vendor
CVE-2026-48985

5.5MEDIUM

Key Information:

Vendor: Mcdope
Status: Pam Usb
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-48985?

The pam_usb module, which facilitates hardware authentication using removable media on Linux systems, is prone to a NULL dereference issue. This vulnerability arises from a flaw in the pusb_is_loginctl_local() function present in versions 0.9.1 and earlier. When parsing loginctl output, the function can fail and lead to a NULL pointer dereference if the Remote field consists solely of a newline. This situation causes the PAM module to crash, resulting in potential denial of service for all users relying on affected authentication processes (such as sudo and login). The problem has been resolved in version 0.9.2, and it's crucial for users to upgrade to ensure system integrity and maintain secure access control.

Affected Version(s)

pam_usb < 0.9.2

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/mcdope/pam_usb/releases/tag/0.9.2

x_refsource_MISC

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48985 Data

JSON

Mcdope

What is CVE-2026-48985?

Affected Version(s)

References

CVSS V3.1

Timeline