216.73.217.22

CVE-2026-48065

· Published 27/05/2026 20:16 · Modified 28/05/2026 13:57

Labels: CVE-2026-48065 2026-05-27CVE-2026-48065CWE-122[email protected]

Essential information

Published
27/05/2026 20:16
Modified
28/05/2026 13:57
Author
Creator
CVSS
6.7 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to n_devices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets (armv7l, i686 -- both listed in the project Makefile), the multiplication n_devices * sizeof(t_pusb_device) wraps around size_t, causing xmalloc() to receive a very small size. Because xmalloc() only calls abort() on NULL return, a small-but-non-NULL allocation is accepted, and subsequent array writes overflow the heap. This vulnerability is fixed in 0.9.1.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
pam usb / pam usb cpe:2.3:a:pam_usb:pam_usb:0.9.1:*:*:*:*:*:*:*
pam usb / pam usb cpe:2.3:a:pam_usb:pam_usb:<0.9.1:*:*:*:*:*:*:*

References