CVE-2026-48984
MediumCVSS 4.7Summary
In versions 0.9.1 and below, the xfree() function in pam_usb releases memory without first zeroing the buffer contents, leading to the exposure of sensitive data in freed memory. This could allow recovery of pad values or other authentication material from freed memory regions.
Risk Assessment
Organizations may be exposed to sensitive data leaks, potentially leading to unauthorized access to systems. There is a risk that attackers could recover authentication data from memory.
Recommendation
It is recommended to update pam_usb to a version above 0.9.1 to eliminate this vulnerability. Additionally, implementing memory protection mechanisms is advisable to minimize the risk of data leaks.
Original NVD description (English source)
pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data — including one-time pad bytes read from disk — without clearing, leaving the sensitive content in freed heap memory until it happens to be overwritten by a subsequent allocation. On a system where a use-after-free condition exists, or where a heap inspection primitive becomes available, this could allow recovery of pad values or other authentication material from freed memory regions. This is a defence-in-depth requirement consistent with prior hardening work in this codebase (GHSA-vx6f-rrqr-j87c applied explicit_bzero to some pad paths; this issue generalises the pattern to the central deallocation helper).

