CVE-2026-48983 | pam_usb provides hardware authentication for Linux using ord… | CVSS 5.8 MEDIUM

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, a symlink race condition exists in per-device and per-user pad directory creation. pam_usb uses a check-then-act pattern: it calls lstat() to test for existence and then calls mkdir() separately to create the directory. A local attacker can win the race between these calls by replacing the target path with a symlink to a directory they control. If successful, one-time pad files may be written to an attacker-controlled location, potentially exposing future pad values before use or disrupting authentication. This issue has been fixed in version 0.9.2.

Metadata

CVE ID: CVE-2026-48983
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-26 23:26 UTC
Published: 2026-06-18 19:07 UTC
Last updated: 2026-06-18 19:07 UTC
Primary CWE: CWE-367
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
Vendor / Product: mcdope / pam_usb
Sources: cve.org · NVD

Severity & Metrics

5.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

Affected products (1)

Vendor	Product	Platform	Versions
mcdope	pam_usb	—	< 0.9.2

Weakness (CWE)

CWE	Source	Description
CWE-367	cna	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.8	MEDIUM	3.1	cna	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

References (2)

https://github.com/mcdope/pam_usb/security/advisories/GHSA-4j8q-67fq-3xc3 https://github.com/mcdope/pam_usb/security/advisories/GHSA-4j8q-67fq-3xc3
https://github.com/mcdope/pam_usb/releases/tag/0.9.2 https://github.com/mcdope/pam_usb/releases/tag/0.9.2