VYPR
Vypr IntelligenceAI-generatedJun 18, 2026· 5 CVEs

pam_usb: Five Coordinated Vulns Disclosed — TOCTOU, DoS, and Memory-Scrubbing Flaw

Five coordinated disclosures hit the Linux PAM module pam_usb on June 18, covering a TOCTOU race, a missing O_EXCL flag, a NULL-dereference crash, an infinite-loop DoS, and a failure to scrub cryptographic material from heap memory.

Key findings

  • Five CVEs disclosed June 18, 2026, spanning race conditions, DoS, and memory-scrubbing bugs
  • TOCTOU symlink race (CVE-2026-48983) and missing O_EXCL flag (CVE-2026-48982) in OTP directory and temp file creation
  • NULL dereference crash (CVE-2026-48985) and infinite-loop DoS (CVE-2026-48986) in loginctl parsing and process-tree walk
  • xfree() fails to scrub OTP key material from heap before free (CVE-2026-48984)
  • All flaws fixed in pam_usb 0.9.2; versions below 0.9.2 are vulnerable

The open-source Linux authentication module pam_usb (developed by Mcdope) received five coordinated security disclosures on June 18, 2026, covering a time-of-check/time-of-use (TOCTOU) race condition, a missing atomic-file-creation flag, a NULL-dereference crash, an infinite-loop denial-of-service bug, and a failure to scrub cryptographic key material from memory. All five CVEs were published within a two-hour window and affect pam_usb versions prior to 0.9.2. The batch spans four distinct bug classes, making it a rare multi-vector disclosure for a single Linux PAM module.

**TOCTOU symlink race and concurrent update race — CVE-2026-48983 and CVE-2026-48982** Both of these flaws reside in the one-time pad (OTP) subsystem that pam_usb uses to authenticate a user with a USB device. CVE-2026-48983 describes a classic check-then-act pattern in per-device and per-user pad directory creation: the code calls lstat() to check if a directory exists and then calls mkdir() separately, leaving a window for an attacker to substitute a symlink between the two calls. A local attacker who can control the filesystem layout could exploit the race to write pad data to an arbitrary location. CVE-2026-48982 addresses a different race in the same pad-update path: when creating a temporary file during pad rotation, open() is called without the O_EXCL flag, meaning two concurrent processes can both believe they hold the exclusive temporary file. Without atomic creation, an attacker could cause pad corruption or information leakage.

**NULL dereference crash — CVE-2026-48985** In pam_usb 0.9.1 and earlier, the function pusb_is_loginctl_local() opens a pipe to loginctl and parses the output. If the Remote field in the loginctl output is an empty line (only a newline), fgets() succeeds but subsequent parsing with strtok_r() can produce a NULL pointer that is then dereferenced, crashing the authentication process. Any unprivileged user on a system where loginctl returns sparse session data could trigger a denial of service against the PAM module.

**Infinite-loop DoS — CVE-2026-48986** The process-tree walker usb_get_process_parent_id() does not initialize the *ppid output parameter on failure. If /proc entries vanish because a parent process exits during the authentication handshake, the uninitialized value is reused in pusb_local_login() as both input and output in a while loop, leading to an indefinite loop that hangs the authentication attempt. The bug is a straightforward local DoS against any user trying to authenticate via pam_usb when process churn is high.

**Sensitive-data residual in heap — CVE-2026-48984** The xfree() memory-release helper calls free() without first calling explicit_bzero() or memset() to clear the buffer contents. Because the freed heap buffers previously held one-time pad bytes read from disk — the cryptographic material that underpins pam_usb's authentication scheme — an attacker who can read freed heap memory (via a heap-infoleak primitive or by allocating the same slab from another process) could recover the pad data. While not directly exploitable on its own, CVE-2026-48984 lowers the security bar for an attacker who already has limited local access.

Patch status The pam_usb maintainers released version 0.9.2 to address all five CVEs. Users of pam_usb should upgrade to 0.9.2 or later. The advisory covers all releases before 0.9.2; version 0.9.2 itself contains fixes for the TOCTOU race, the missing O_EXCL flag, the NULL-dereference crash, the infinite loop, and the memory-scrubbing omission.

Why this matters pam_usb is a niche but security-critical piece of infrastructure: it turns a USB stick into a hardware authentication factor for Linux logins. The disclosure batch shows that the module's core cryptographic material (the OTP) was exposed to race conditions and memory persistence failures simultaneously. For organizations that rely on USB-device-based authentication, upgrading to 0.9.2 closes a cluster of flaws that could, in combination, enable local privilege escalation or authentication bypass.

AI-written article. Grounded in 5 CVE records listed below.