CVE-2026-48065
6.7 MEDIUMpam_usb provides hardware authentication for Linux using ordinary removable media
Published: 2026-05-27 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 6.7 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-122, CWE-190
Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to n_devices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets (armv7l, i686 -- both listed in the project Makefile), the multiplication n_devices * sizeof(t_pusb_device) wraps around size_t, causing xmalloc() to receive a very small size. Because xmalloc() only calls abort() on NULL return, a small-but-non-NULL allocation is accepted, and subsequent array writes overflow the heap. This vulnerability is fixed in 0.9.1.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-53705 — A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good (7.6 HIGH)
- CVE-2026-52722 — A signed integer overflow vulnerability was found in GStreamer's VMnc decoder (7.1 HIGH)
- CVE-2026-52720 — A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client) (8.8 HIGH)
- CVE-2025-55661 — A heap buffer overflow in the Opus audio stream parser component of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) ... (5.5 MEDIUM)
- CVE-2025-55652 — A heap buffer overflow in the gf_isom_vp_config_new function (isomedia/avc_ext.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial ... (5.5 MEDIUM)