CVE-2026-48984

June 18, 2026, 8:16 p.m.

4.7
Medium

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data — including one-time pad bytes read from disk — without clearing, leaving the sensitive content in freed heap memory until it happens to be overwritten by a subsequent allocation. On a system where a use-after-free condition exists, or where a heap inspection primitive becomes available, this could allow recovery of pad values or other authentication material from freed memory regions. This is a defence-in-depth requirement consistent with prior hardening work in this codebase (GHSA-vx6f-rrqr-j87c applied explicit_bzero to some pad paths; this issue generalises the pattern to the central deallocation helper).

Product(s) Impacted

Vendor Product Versions
Pam Usb
  • Pam Usb
  • <0.9.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-14
Compiler Removal of Code to Clear Buffers
Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a pam_usb pam_usb <0.9.1 / / / / / / /

References

https://github.com/mcdope/pam_usb/releases/tag/0.9.2
https://github.com/mcdope/pam_usb/security/advisories/GHSA-rmp6-wfrq-wrrc

Tags

[email protected]
CWE-14
2026-06-18
CVE-2026-48984

CVSS Score

4.7 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

    View Vector String

Timeline

Published: June 18, 2026, 6:16 p.m.
Last Modified: June 18, 2026, 8:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.