NVD Vulnerability Detail
Search Exploit, PoC
CVE-2026-48792
Summary

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/evdev.c silently ignores EACCES errors when opening /dev/input/event* nodes, causing pusb_has_virtual_input_device() to return 0 (no virtual devices found) even when every open() call failed due to insufficient permissions. The caller in src/local.c cannot distinguish a clean absence of virtual devices from a permission-denied scan, and acts on the false negative by continuing authentication without denying. This vulnerability is fixed in 0.9.1.

Publication Date May 28, 2026, 5:16 a.m.
Registration Date May 29, 2026, 4:11 a.m.
Last Update May 28, 2026, 10:57 p.m.
CVSS3.1 : MEDIUM
スコア 4.4
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
攻撃元区分(AV) ローカル
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR)
利用者の関与(UI) 不要
影響の想定範囲(S) 変更なし
機密性への影響(C)
完全性への影響(I)
可用性への影響(A) なし
Related information, measures and tools
Common Vulnerabilities List