CVE-2026-48984

Source
https://cve.org/CVERecord?id=CVE-2026-48984
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48984.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48984
Aliases
  • GHSA-rmp6-wfrq-wrrc
Published
2026-06-18T17:06:00.918Z
Modified
2026-07-08T08:12:35.621770424Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
pam_usb: xfree() does not call explicit_bzero — sensitive cryptographic material may linger in freed heap
Details

pamusb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data — including one-time pad bytes read from disk — without clearing, leaving the sensitive content in freed heap memory until it happens to be overwritten by a subsequent allocation. On a system where a use-after-free condition exists, or where a heap inspection primitive becomes available, this could allow recovery of pad values or other authentication material from freed memory regions. This is a defence-in-depth requirement consistent with prior hardening work in this codebase (GHSA-vx6f-rrqr-j87c applied explicitbzero to some pad paths; this issue generalises the pattern to the central deallocation helper).

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48984.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-14",
        "CWE-226"
    ]
}
References

Affected packages

Git / github.com/mcdope/pam_usb

Affected ranges

Type
GIT
Repo
https://github.com/mcdope/pam_usb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.9.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.5.0
0.7.1
0.7.2
0.7.3
0.8.3
0.8.4
0.8.7
0.9.0
0.9.1
v0.*
v0.7.0
v0.8.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48984.json"