Lucene search
K

82 matches found

CVE
CVE
added 2026/05/27 8:11 p.m.24 views

CVE-2026-47269

CVE-2026-47269 affects pam_usb on Linux. The deny_remote feature checks utmpx ut_addr_v6[0] to identify remote sessions, but IPv4-mapped IPv6 addresses cause the check to fail (ut_addr_v6[0] == 0, while the IPv4 address is in ut_addr_v6[3]), so remote SSH connections can be treated as local. As a...

7.4CVSS5.9AI score0.00307EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/27 8:11 p.m.45 views

CVE-2026-47269 pam_usb: deny_remote feature incorrectly classifies IPv4-mapped IPv6 remote connections as local

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pamusb's denyremote feature checks utmpx utaddrv6 to detect whether an authentication request originates from a remote session. The outer guard was if utent-utaddrv60 != 0, which only tests the first...

7.4CVSS0.00307EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/27 8:10 p.m.11 views

CVE-2026-47270

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pamusb is a PAM module loaded into the host process sudo, login, GDM, GNOME Shell. Display managers such as GDM run multiple concurrent authentication threads. Three functions used by the denyremote...

6.3CVSS5.9AI score0.00108EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/05/27 8:10 p.m.20 views

CVE-2026-47270

CVE-2026-47270 affects the pam_usb PAM module used for Linux hardware authentication. The denial logic (deny_remote) uses non-reentrant strtok(), with three functions sharing a global token pointer; in multi-threaded authentication (e.g., long-lived display managers like GDM), two concurrent auth...

6.3CVSS5.9AI score0.00108EPSS
Exploits0References3
CVE
CVE
added 2026/05/27 8:8 p.m.19 views

CVE-2026-47271

The CVE affects pam_usb prior to version 0.9.0, where out-of-memory guards in src/mem.c (xmalloc/xrealloc/xstrdup) were removed when NDEBUG is defined. With no NULL checks after allocation, NULL pointer dereferences occur, causing a crash in the PAM module loaded by sudo or login and leading to l...

5.1CVSS5.8AI score0.00122EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/27 8:6 p.m.10 views

CVE-2026-47272 pam_usb: OTP pad authentication bypass via missing system pad check and uninitialized RNG buffer

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusbpadcompare function in src/pad.c only verified that the user-side pad /.pamusb/device.pad could be read, but did not enforce that the system-side pad the pad file on the USB device was also...

7.1CVSS5.9AI score0.00119EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 8:6 p.m.10 views

CVE-2026-47272

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusbpadcompare function in src/pad.c only verified that the user-side pad /.pamusb/device.pad could be read, but did not enforce that the system-side pad the pad file on the USB device was also...

7.1CVSS5.9AI score0.00119EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/05/27 8:6 p.m.47 views

CVE-2026-47272 pam_usb: OTP pad authentication bypass via missing system pad check and uninitialized RNG buffer

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusbpadcompare function in src/pad.c only verified that the user-side pad /.pamusb/device.pad could be read, but did not enforce that the system-side pad the pad file on the USB device was also...

7.1CVSS0.00119EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 8:3 p.m.44 views

CVE-2026-47273 pam_usb: XPath injection via PAM-supplied identifiers in pam_usb configuration queries

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pamusb builds XPath expressions from user-supplied identifiers PAM username, service name and device-supplied identifiers USB device serial, model, vendor to query /etc/pamusb.conf. These identifiers...

6.5CVSS0.00273EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/27 8:2 p.m.46 views

CVE-2026-47274 pam_usb: Uncontrolled search path in pam_usb tools allows privilege escalation via PATH manipulation

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, multiple pamusb helper tools resolved external binaries through the PATH environment variable rather than using absolute paths. An attacker who can influence the process environment during PAM...

6.3CVSS0.00141EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/27 7:59 p.m.47 views

CVE-2026-48064 pam_usb: PAM_RHOST check skipped when deny_remote=false allows XDMCP authentication bypass

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, when a PAM service is configured with denyremote=false in pamusb commonly done for display managers such as gdm-password or lightdm to bypass process/TTY heuristics for local sessions, the PAMRHOST...

8.1CVSS0.00342EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/27 7:59 p.m.13 views

EUVD-2026-32650

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, when a PAM service is configured with denyremote=false in pamusb commonly done for display managers such as gdm-password or lightdm to bypass process/TTY heuristics for local sessions, the PAMRHOST...

8.1CVSS5.8AI score0.00342EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/27 7:59 p.m.10 views

CVE-2026-48064 pam_usb: PAM_RHOST check skipped when deny_remote=false allows XDMCP authentication bypass

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, when a PAM service is configured with denyremote=false in pamusb commonly done for display managers such as gdm-password or lightdm to bypass process/TTY heuristics for local sessions, the PAMRHOST...

8.1CVSS5.8AI score0.00342EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/27 7:59 p.m.12 views

CVE-2026-48064

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, when a PAM service is configured with denyremote=false in pamusb commonly done for display managers such as gdm-password or lightdm to bypass process/TTY heuristics for local sessions, the PAMRHOST...

8.1CVSS5.8AI score0.00342EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/05/27 7:59 p.m.22 views

CVE-2026-48064

Summary: pam_usb prior to 0.9.1 allowed a remote XDMCP session to bypass USB authentication when deny_remote=false, because the PAM_RHOST check was gated inside the deny_remote branch. Technical details (supported): pam_usb provides hardware authentication for Linux via removable media. In affect...

8.1CVSS5.8AI score0.00342EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/27 7:58 p.m.10 views

CVE-2026-48065

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to ndevices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets armv7l, i686 --...

6.7CVSS5.9AI score0.00149EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/27 7:58 p.m.11 views

CVE-2026-48065 pam_usb: Unchecked integer multiplication before xmalloc() in conf.c allows heap-based buffer overflow on 32-bit targets

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to ndevices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets armv7l, i686 --...

6.7CVSS5.9AI score0.00149EPSS
Exploits0References3
CVE
CVE
added 2026/05/27 7:58 p.m.20 views

CVE-2026-48065

The CVE-2026-48065 issue affects pam_usb for Linux prior to version 0.9.1. In src/conf.c, heap memory is allocated as size proportional to n_devices (derived from libxml2 XPath on the config file) without an upper bound. On 32-bit targets (armv7l, i686 listed in the Makefile), n_devices * sizeof(...

6.7CVSS5.9AI score0.00149EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/27 7:58 p.m.43 views

CVE-2026-48065 pam_usb: Unchecked integer multiplication before xmalloc() in conf.c allows heap-based buffer overflow on 32-bit targets

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to ndevices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets armv7l, i686 --...

6.7CVSS0.00149EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/27 7:57 p.m.43 views

CVE-2026-48066 pam_usb: Thread-unsafe static pointer in log.c causes data race under concurrent PAM authentication

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/log.c contains a process-wide static pointer that is written on every PAM invocation with the address of a stack-local variable. This violates the PAM re-entrancy requirement and creates a data...

5.7CVSS0.00116EPSS
Exploits0References3
Rows per page
Query Builder