CVE-2026-48792
4.4 MEDIUMpam_usb provides hardware authentication for Linux using ordinary removable media
Published: 2026-05-27 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 4.4 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- CWE
- CWE-390, CWE-693
Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/evdev.c silently ignores EACCES errors when opening /dev/input/event* nodes, causing pusb_has_virtual_input_device() to return 0 (no virtual devices found) even when every open() call failed due to insufficient permissions. The caller in src/local.c cannot distinguish a clean absence of virtual devices from a permission-denied scan, and acts on the false negative by continuing authentication without denying. This vulnerability is fixed in 0.9.1.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-12214 — A security flaw has been discovered in Qihoo 360 Total Security 6.0 (7.8 HIGH)
- CVE-2026-47209 — vm2 is an open source vm/sandbox for Node.js (8.6 HIGH)
- CVE-2026-47140 — vm2 is an open source vm/sandbox for Node.js (10.0 CRITICAL)
- CVE-2026-47139 — vm2 is an open source vm/sandbox for Node.js (8.6 HIGH)
- CVE-2026-47135 — vm2 is an open source vm/sandbox for Node.js (8.7 HIGH)