CVE-2026-48066 MEDIUM

CVE-2026-48066: pam_usb: Thread-unsafe static pointer in log.c causes data race under concurrent PAM authentication

Vendor Mcdope
Product pam_usb
Weakness CWE-362
Published May 27, 2026
Last update May 28, 2026

CVSS base score

5.7/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/log.c contains a process-wide static pointer that is written on every PAM invocation with the address of a stack-local variable. This violates the PAM re-entrancy requirement and creates a data race when the PAM stack is invoked concurrently from multiple threads. This vulnerability is fixed in 0.9.1.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 28, 2026 Record updated