216.73.217.64

CVE-2026-48792

· Published 27/05/2026 20:16 · Modified 28/05/2026 13:57

Labels: CVE-2026-48792 2026-05-27CVE-2026-48792CWE-390[email protected]

Essential information

Published
27/05/2026 20:16
Modified
28/05/2026 13:57
Author
Creator
CVSS
4.4 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS metrics

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/evdev.c silently ignores EACCES errors when opening /dev/input/event* nodes, causing pusb_has_virtual_input_device() to return 0 (no virtual devices found) even when every open() call failed due to insufficient permissions. The caller in src/local.c cannot distinguish a clean absence of virtual devices from a permission-denied scan, and acts on the false negative by continuing authentication without denying. This vulnerability is fixed in 0.9.1.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
pam usb / pam usb cpe:2.3:a:pam_usb:pam_usb:<0.9.1:*:*:*:*:*:*:*

References