CVE-2026-48982

June 18, 2026, 8:16 p.m.

5.8
Medium

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, when updating a one-time pad file, a temporary file is created using open() without the O_EXCL flag. Without O_EXCL, the create operation is not atomic: two concurrent processes racing to update the same pad may both succeed in opening the file, with the second write silently overwriting the first. The one-time pad is the core replay-prevention mechanism of pam_usb. A successful race could result in the stored pad value diverging from what either process expected, potentially causing authentication failures or, in a precisely timed attack, creating a window for pad reuse. This issue has been fixed in version 0.9.2.

Product(s) Impacted

Vendor Product Versions
Pam Usb
  • Pam Usb
  • <0.9.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a pam_usb pam_usb <0.9.2 / / / / / / /

References

https://github.com/mcdope/pam_usb/releases/tag/0.9.2
https://github.com/mcdope/pam_usb/security/advisories/GHSA-hxh6-9574-5vp6

Tags

[email protected]
CWE-362
2026-06-18
CVE-2026-48982

CVSS Score

5.8 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: HIGH
  • Availability Impact: LOW

    • CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

    View Vector String

Timeline

Published: June 18, 2026, 8:16 p.m.
Last Modified: June 18, 2026, 8:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.