CVE-2026-48065 MEDIUM

CVE-2026-48065: pam_usb: Unchecked integer multiplication before xmalloc() in conf.c allows heap-based buffer overflow on 32-bit targets

Vendor Mcdope
Product pam_usb
Weakness CWE-122
Published May 27, 2026
Last update May 28, 2026

CVSS base score

6.7/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to n_devices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets (armv7l, i686 -- both listed in the project Makefile), the multiplication n_devices * sizeof(t_pusb_device) wraps around size_t, causing xmalloc() to receive a very small size. Because xmalloc() only calls abort() on NULL return, a small-but-non-NULL allocation is accepted, and subsequent array writes overflow the heap. This vulnerability is fixed in 0.9.1.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 28, 2026 Record updated