Denial of Service Vulnerability in pam_usb Hardware Authentication for Linux
CVE-2026-48986

4.7MEDIUM

Key Information:

Vendor: Mcdope
Status: Pam Usb
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-48986?

The pam_usb component, used for hardware authentication on Linux via removable media, is susceptible to a denial of service issue in versions 0.9.1 and earlier. The vulnerability arises from a failure to initialize a specific processing identifier during the authentication process. In particular, if the system is unable to read the process information (such as when an ancestor process exits unexpectedly), this can lead to an infinite loop that suspends the entire authentication process—including commands like sudo, sshd, or login—until it is forcibly terminated. This issue has been resolved in version 0.9.2, where updates to the code ensure proper handling of process identifiers and prevent such hangs during authentication.

Affected Version(s)

pam_usb < 0.9.2

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/mcdope/pam_usb/releases/tag/0.9.2

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48986 Data

JSON

Mcdope

What is CVE-2026-48986?

Affected Version(s)

References

CVSS V3.1

Timeline