CVE-2026-47271

Source
https://cve.org/CVERecord?id=CVE-2026-47271
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47271.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-47271
Aliases
  • GHSA-7rvx-jcc6-7hqq
Published
2026-05-27T20:08:02.552Z
Modified
2026-07-08T08:09:41.142357825Z
Severity
  • 5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
pam_usb: OOM guards removed by -DNDEBUG cause NULL dereference and authentication process crash
Details

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, src/mem.c implemented out-of-memory guards for xmalloc(), xrealloc(), and xstrdup() using assert(data != NULL). The C standard specifies that all assert() expressions are compiled out when NDEBUG is defined at build time. NDEBUG is commonly defined in release and packaging builds (Debian, Fedora, Arch package flags all define it via -DNDEBUG in CFLAGS). With the guard removed, xmalloc/xrealloc/xstrdup silently return NULL on allocation failure. Every caller in the codebase dereferences the return value without a NULL check -- this is the intended design, as the guard was supposed to abort before the dereference. With the guard gone, any allocation failure causes a NULL pointer dereference, crashing the PAM module. A crash in a PAM module loaded by sudo or login causes authentication to fail for the duration of the crash, creating a local denial-of-service condition. An attacker who can induce memory pressure at authentication time can lock all users out of sudo and login. This vulnerability is fixed in 0.9.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47271.json",
    "cwe_ids": [
        "CWE-476"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/mcdope/pam_usb

Affected ranges

Type
GIT
Repo
https://github.com/mcdope/pam_usb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.9.0"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47271.json"