Unrated severityNVD Advisory· Published Jun 18, 2026

pam_usb: Infinite loop DoS in process-tree walk when parent process exits during authentication

CVE-2026-48986

Description

pam_usb provides hardware authentication for Linux using removable media. In pam_usb 0.9.1 and earlier, usb_get_process_parent_id() can cause an infinite loop DoS because it does not initialize *ppid on failure. In pusb_local_login(), the same variable is reused as input and output in a process-tree while loop; if /proc//stat cannot be read (for example, when an ancestor process exits during authentication), the PID is not updated and the loop does not terminate. This hangs the authenticating process (such as sudo, sshd, or login) until it is forcibly terminated. This issue has been fixed in version 0.9.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Aluzzardi/Pam Usbinferred
Range: <=0.9.1
Mcdope/Pam Usbllm-fuzzy
Range: <=0.9.1

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/mcdope/pam_usb/releases/tag/0.9.2mitrex_refsource_MISC
github.com/mcdope/pam_usb/security/advisories/GHSA-h28h-9hc3-v595mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000